tanav.aiScanResearchARDGet Started
Open appTry free scan →
Checkers / CHK-115
CHK-115
MEDIUM – CRITICAL

Credential access pattern in skill content

category: skill_issue / tool_poison · source: services/scanner/skill_scanner_checkers.py
OWASP MCP Top 10MCP-T06Sensitive Data Exposure

What it detects

References to credential file paths — ~/.aws/credentials, ~/.ssh/id_rsa, .env (excluding .env.example), ~/.npmrc, ~/.docker/config.json, and similar — inside SKILL.md content or scripts bundled with a skill.

Severity scales with context. A bundled shell script that reads a credential path is HIGH, and CRITICAL if an exfiltration verb (send, upload, curl, post) appears nearby. A skill description that imperatively instructs the agent to read and report a credential file is CRITICAL. A passive documentation reference ("see ~/.aws/credentials for setup") is excluded entirely.

Skill files are loaded automatically with agent trust — there's no install step or dependency manifest the way there is for a server binary, so this class of finding is invisible to scanners that only check server code.

Real example

Significant-Gravitas/AutoGPT184k★CONFIRMED

Three SKILL.md files instruct credential file access. AI-confirmed.

How to fix it

Remove credential file references from skill descriptions entirely

If the skill legitimately needs a credential, use an environment variable injected at runtime via the MCP server config — never a disk path read from inside a skill description or tool handler. Passive setup documentation ("copy .env.example to .env") is fine; an instruction to read and act on the contents of a real credential file is not.