Back to skill

Security audit

Central Intelligence

Security checks across malware telemetry and agentic risk

Overview

This skill transparently adds an external persistent memory service, with expected privacy considerations but no evidence of hidden or malicious behavior.

Install this only if you want selected agent memories stored in the Central Intelligence external service. Do not store secrets, credentials, personal identifiers, or confidential business data, and review carefully before sharing memories beyond the single-agent scope.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The comments explicitly state that the env-var declaration is included to avoid credential-harvest scanner findings, which is a strong indicator of scanner-evasion behavior rather than purely documenting runtime requirements. Even if the API key is legitimately needed, framing metadata to suppress security tooling undermines trust and can conceal improper secret handling or future abuse.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.