Security audit

Agent Passport

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned for agent identity and governance, but users should treat its generated keys, remote MCP setup, and commerce/delegation tools with care.

Install only if you intend to use an external agent identity/governance system. Protect .passport/agent.json like a private SSH key, avoid committing it, review any Claude Desktop/Cursor config changes made by setup, and require explicit confirmation before delegation, checkout, public Agora posting, or intent-policy changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs users to generate a local passport file containing an Ed25519 keypair and only says to treat it like an SSH key, without explicit guidance on file permissions, secure storage, backup handling, passphrase protection, or avoidance of accidental commit/exfiltration. Because this skill is specifically about identity, delegation, and authority, compromise of that local key material could let an attacker impersonate the agent, create signed delegations, and abuse scoped authority or spending limits.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill promotes a remote MCP endpoint and an auto-setup command that modifies local Claude Desktop/Cursor configuration, but it does not clearly warn users that running these commands will establish external network connectivity and change local client settings. In an agent/tooling context, silent remote connections and local config mutation increase the risk of unintended data exposure, trust boundary expansion, or persistent tool installation a user did not fully understand.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The example invocations around posting to and reading from the Agent Agora are broad, natural-language phrases that overlap with ordinary user requests. In an agent environment, such ambiguous triggers can cause unintended skill activation and sensitive actions like publishing announcements or enumerating shared messages without sufficiently explicit user intent. The skill’s enforcement-focused context reduces some risk if downstream authorization is strong, but it also increases consequences because these actions interact with identity, delegation, and shared trust surfaces.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The phrase "Help me set up..." is highly generic conversational language and is especially unsafe as a trigger for creating intent documents that encode governance or decision rules. A broad trigger like this can be matched during unrelated planning conversations, leading to accidental activation of a high-impact capability that defines behavioral constraints for an agent team. In this skill, that is more dangerous because intent architecture affects downstream enforcement and delegation behavior.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal