Agent Squad 0.9.4

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it starts unattended AI coding agents with broad project access and some status actions expose or alter live sessions.

Install only if you intentionally want unattended AI coding agents. Use isolated repositories, disposable worktrees, or separate branches; keep .env files, API keys, private keys, and sensitive customer data out of squad project directories; expect status and peek to show live terminal contents; review commits before merging; and stop squads when they should no longer run.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Instructing the agent to include live tmux screen output in normal status responses can expose secrets, tokens, prompts, file paths, proprietary code, and terminal history to the user verbatim. Because the squad runs autonomous coding agents with full project access, the live terminal is especially likely to contain sensitive material.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The peek command explicitly tells the system to show raw tmux screen contents directly, with no privacy notice, redaction, or confirmation. Raw terminal output is a common source of inadvertent secret leakage, including API keys, stack traces with credentials, and private source code.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The startup procedure instructs the agent to immediately scan context, resume in-progress work, and start working without any explicit invocation gate, user confirmation, or scope validation. In a persistent multi-agent skill that operates through tmux sessions and task queues, this broad autonomous trigger increases the chance of unintended execution on stale, malicious, or user-unapproved tasks.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The protocol mandates continuous report updates, task state changes, and completion handling that all involve autonomous file writes, but it does not clearly disclose these write operations or require user consent at the point of use. Because this skill is designed to run persistently and coordinate autonomous agents, silent writes can surprise users, alter project state, and create opportunities for indirect prompt/task injection to cause unauthorized modifications.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The protocol explicitly directs the agent to run git detection and then perform repeated commits as part of normal execution, which is shell/tool execution with lasting side effects and no embedded user warning or approval boundary. In this context, autonomous commits can persist harmful or unintended changes, pollute repository history, and operationalize malicious task content into version control with minimal friction.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The status trigger phrase "What is backend doing?" is broad natural language that can easily overlap with ordinary conversation, increasing the chance the skill activates unintentionally. In a system that controls persistent autonomous coding agents, accidental invocation can disclose internal project activity, task state, or other operational context the user did not intend to retrieve at that moment.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The stop trigger phrase "Stop backend" is short and ambiguous, and could be matched during ordinary conversation or in contexts unrelated to squad control. Because this action kills the tmux session and removes watchdog monitoring for a persistent autonomous agent, an unintended trigger can disrupt active work, halt monitoring, and create denial-of-service against the managed squad.

Vague Triggers

High

Confidence: 97% confidence
Finding: The delete trigger phrase "Delete backend" is overly broad for an archival/destructive action and can be confused with ordinary requests about deleting code, files, branches, or services named backend. Even though the guide says project code is not touched and confirmation is required, accidental archival of coordination data can still disrupt task queues, reports, logs, and operational state for a running or recoverable squad.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script deliberately enables engines with unsafe auto-approval modes such as Claude's "--dangerously-skip-permissions" and Codex's "--dangerously-bypass-approvals-and-sandbox" without an interactive confirmation, explicit opt-in, or strong warning at execution time. In this skill's context, the launched agents are persistent, can operate on user projects, and are coupled with tmux and watchdog automation, which increases the chance that an LLM can make filesystem or code changes autonomously in a long-running session.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script performs a read-like status action but also sends unsolicited input into the live tmux session, causing side effects without explicit user confirmation. This can interfere with the running agent, alter task execution, or inject instructions into a privileged/automated workflow, especially because the message tells the agent to keep working and update its report.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill repeatedly instructs the agent to surface live tmux output and report contents in plain language, which can disclose sensitive operational details from autonomous agents working in project directories. The combination of background execution, full project access, and direct user-facing disclosure increases the chance of leaking internal code, secrets, or confidential task data.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The instruction to read the latest squad report and surface the 'Current' section creates a direct path for report data exfiltration. Reports generated by coding agents may contain copied code, debugging output, credentials, internal URLs, or other sensitive implementation details that should not be automatically disclosed.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal