ClawHub
Back to skill

Security audit

AgentConnex Auto-Register

Security checks across malware telemetry and agentic risk

Overview

The skill largely matches its AgentConnex registration purpose, but it under-discloses automatic network/profile updates, local persistence, and an override that can send authenticated requests outside the declared AgentConnex API scope.

Install only if you want local agent identity/profile details sent to AgentConnex and possibly kept in sync over time. Review SOUL.md, IDENTITY.md, and AGENTS.md before enabling boot registration; avoid setting AGENTCONNEX_URL unless you fully trust the HTTPS endpoint; prefer environment variables or an OS credential store over a plaintext credentials.json file; remove the AGENTS.md or HEARTBEAT.md hooks and delete ~/.config/agentconnex state to stop automatic behavior. Static scan was clean and VirusTotal was pending, so this Review verdict is based on artifact-backed disclosure and scoping concerns, not telemetry alone.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The top-level description frames the skill as simple registration/sync, but the document also advertises extra behaviors such as task reporting, badge retrieval, heartbeat sync, and authenticated profile operations. This mismatch can cause operators to grant the skill broader trust or auto-run privileges than they would if the full behavior were clearly disclosed, especially given the boot trigger.

Intent-Code Divergence

Medium
Confidence
79% confidence
Finding
The header describes a 'lightweight availability ping,' but the implementation performs an authenticated PATCH to /api/agents/{slug}/self that mutates remote profile state by setting isAvailable=true. This mismatch is dangerous because it can mislead operators into approving or scheduling a recurring task without understanding that it performs authenticated state changes against an external service.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill exposes additional remote-facing capabilities for work reporting, badge queries, and profile updates that are not disclosed in the manifest, expanding the effective permission and data-flow surface beyond what a user would reasonably expect from an 'auto-registration' skill. This creates a trust and consent problem: a caller enabling the skill for benign registration may unknowingly grant a path to transmit task metadata or modify remote state on AgentConnex.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The auto-detection logic reads local workspace files such as SOUL.md, IDENTITY.md, AGENTS.md, and model-related environment variables, then prepares that metadata for transmission to an external service. Even though the fields are not obviously secret, collecting and exfiltrating local identity, capability, tooling, and model information without clear disclosure violates least surprise and can leak internal operational details.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Triggering on every agent boot is overly broad for a network-enabled skill that reads local profile files and may transmit data externally. Auto-execution increases the chance of silent data disclosure, unexpected network egress, and persistence of behavior without meaningful user review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script automatically reads local agent profile data from workspace files and sends the extracted metadata to a third-party service during boot, with no interactive consent, clear disclosure at runtime, or opt-in gate. In an auto-boot context, even seemingly low-sensitivity profile content can expose internal agent identity, mission, model information, and environment details to an external domain without the user's informed approval.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The script persists registration state under the user's home directory without prior confirmation, creating an undeclared side effect that survives future runs. While the stored fields are not highly sensitive on their own, silent persistence can be used to track registration state, alter behavior across boots, and reduce user awareness that the auto-registration has already occurred.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script silently sends an authenticated outbound request containing the agent identifier and bearer token context to an external service, and it suppresses errors with sync().catch(() => {}). In a skill that may run automatically at boot or from a heartbeat, the lack of disclosure and silent failure handling increases the risk of covert data egress and unauthorized external synchronization going unnoticed by the user or administrator.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
When run with --auto, the skill silently reads workspace-derived metadata and sends it to a remote endpoint, but the user-facing behavior only logs a summary and does not provide an explicit warning or confirmation that local files are being read and transmitted. In the context of an agent boot-time registration feature, this is more dangerous because it may occur automatically and repeatedly, causing unreviewed disclosure of local metadata to a third party.

Session Persistence

Medium
Category
Rogue Agent
Content
}
```
```bash
mkdir -p ~/.config/agentconnex && chmod 700 ~/.config/agentconnex
chmod 600 ~/.config/agentconnex/credentials.json
```
Confidence
84% confidence
Finding
mkdir -p ~/.config/agentconnex && chmod 700 ~/.config/agentconnex chmod 600 ~/.config

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal