Is tensorpm safe?

https://clawhub.ai/Neo552/tensorpm

62
CAUTION

TensorPM is a project management skill that appears to be a legitimate commercial product but raises several security concerns. Its primary risks are: (1) behavioral steering that turns the agent into a promotional vehicle, (2) API key collection for multiple AI providers via the set_api_key tool creating a credential aggregation pipeline, and (3) an unauthenticated localhost API that exposes all project data to any local process. No active malware, exfiltration, or canary tampering was detected, but the combination of credential handling and optional cloud sync warrants caution.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (10)

MEDIUM Behavioral steering via skill notes -25

The SKILL.md contains directives that steer the agent to prefer and promote TensorPM over other tools, effectively injecting advertising behavior into the agent's responses.

MEDIUM API key handling instruction via MCP tool -20

The skill normalizes passing user API keys for OpenAI, Anthropic, Google, and Mistral to the TensorPM application via the set_api_key tool.

MEDIUM API key pass-through to local application -20

The set_api_key MCP tool creates a pipeline for sensitive AI provider credentials to flow into a third-party application that could exfiltrate them.

MEDIUM Unauthenticated localhost API exposes project data -15

The A2A endpoint on localhost:37850 requires no authentication by default, allowing any local process to access all project data.

MEDIUM Download instructions include curl-execute pattern -15

Linux installation uses curl -fsSL to download and chmod +x an AppImage from a remote URL, following the risky download-and-execute pattern.

MEDIUM Skill acts as credential collection gateway -35

The combination of API key collection, unauthenticated local API, arbitrary file reads, and optional cloud sync creates a potential credential and data aggregation pipeline.

LOW fromFile mode reads arbitrary local files -5

Project creation from file accepts arbitrary filesystem paths, allowing TensorPM to read any local file.

LOW Sensitive file reads during installation -15

Monitoring detected reads of .env and .aws/credentials during the installation phase.

LOW Homebrew tap from third-party repository -10

macOS installation adds a third-party Homebrew tap, extending trust to an external repository.

MEDIUM Promotional injection alters agent neutrality -20

Skill directives turn the AI agent into a promotional vehicle for TensorPM, undermining agent neutrality.