Back to skill

Security audit

Agent manager

Security checks across malware telemetry and agentic risk

Overview

This agent-management skill is mostly transparent, but it gives broad delegation and external-notification paths that need careful review before use.

Review and edit the registry before installing. Remove personal Telegram identifiers, disable or restrict external human notifications unless you explicitly want them, require approval for sensitive tasks, and do not rely on can_assign.js as a security boundary without tightening its policy checks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The function is presented as checking assignment permissions from the registry, but it unconditionally grants `main` permission to assign to any target without validating the target against configured policy. If callers trust this helper for authorization, anyone able to act as or spoof `main` gains broad delegation privileges, creating an authorization bypass and weakening least-privilege controls.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The routing matrix explicitly allows sending task information to a human over Telegram, which is an external channel, but the document provides no consent, minimization, or warning requirements before disclosure. This can expose sensitive user requests, internal context, or results outside the agent system, especially during escalation or support workflows.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The escalation flow directs unresolved requests to a human via Telegram without any safeguard describing what information may be transmitted. In practice, escalations often include the original request and context, so this creates a clear path for unintended external disclosure of potentially sensitive data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The reporting protocol permits sending task summaries to a human channel, but it does not warn that results may leave the agent environment or require sanitization. Task results and error details frequently contain sensitive business data, credentials, or internal state, making this an unsafe default.

Ssd 3

Medium
Confidence
98% confidence
Finding
The document exposes a human operator's Telegram identifier in plain text as an escalation path. This creates a privacy and social-engineering risk because anyone with access to the file can target the person directly for phishing, impersonation, harassment, or unauthorized escalation requests.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
### Core Rules
1. **Discovery:** Always check `scan_agents.js` before assuming an agent exists.
2. **Permission:** Never assign a task without checking `can_assign.js` or `agent-registry.md`.
3. **protocol:**
   - IF `requires_approval` is FALSE -> Assign directly.
   - IF `requires_approval` is TRUE -> Ask supervisor (Human or Agent).
Confidence
71% confidence
Finding
without checking

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.