Back to skill

Security audit

Agent Architecture Patterns

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent educational agent-pattern library, but it includes unsafe executable examples and under-scoped agent/tool patterns that deserve review before installation.

Install only if you are using this as reference material and are prepared to harden copied code. Replace eval with a safe math parser, add approval or policy checks before model-selected tool calls, restrict file access to approved paths, and avoid sending confidential prompts, code, credentials, or personal data to external LLM/search services without review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The calculator tool passes untrusted input directly to JavaScript eval(), which enables arbitrary code execution rather than mere arithmetic evaluation. In an agent setting, model-generated tool arguments can be influenced by user prompts or prompt injection, so this example can teach or normalize an unsafe pattern that could become directly exploitable if copied into real implementations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example architecture sends task contents, code, search queries, and aggregated worker results to external LLM and web search services without any warning about data sensitivity, minimization, or redaction. In a real deployment, this can expose proprietary source code, internal prompts, credentials embedded in task data, or other sensitive business information to third-party services and logs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example pipeline forwards arbitrary input through multiple agents and, when verbose mode is enabled, logs snippets of both the original input and each stage's output. In an agent architecture library, this can propagate sensitive user data to more components than necessary and expose it in logs without any warning, minimization, or redaction guidance.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly presents a readFile tool and file-reading capability without any warning, scope restriction, or authorization guidance. In an agent-pattern library, this can normalize unrestricted local file access and lead downstream implementers to expose sensitive files such as credentials, tokens, or user documents to the model or toolchain.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes web search behavior that directly uses task-derived queries, but does not warn that external requests may transmit user-provided or sensitive data to third parties. In a ReAct architecture pattern, developers may copy this flow verbatim, causing prompts, identifiers, or confidential business data to be sent to search services without review.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manager sends the full task content and later worker outputs directly into LLM prompts during task decomposition and result integration, with no consent flow, minimization, or disclosure boundary. If tasks or results contain secrets, personal data, proprietary code, or sensitive business context, this design can unintentionally exfiltrate that information to the backing model provider or downstream logging/monitoring systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The web-search worker forwards the user query or subtask description into an LLM prompt without any disclosure, filtering, or separation between search terms and model input. Queries may contain sensitive investigative topics, personal data, credentials pasted by mistake, or confidential internal requests, causing unnecessary exposure beyond the immediate feature purpose.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The agent sends the raw task and formatted execution history directly to the LLM in prompts, which can include sensitive user data, tool outputs, secrets, or internal context without any filtering, minimization, or consent mechanism. In an agent architecture library, this creates a real data exposure risk because downstream adopters may pass confidential content through history and unknowingly transmit it to third-party model providers.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The agent executes any tool selected by the model with model-supplied arguments and no approval, policy check, allowlist by risk level, or confirmation step for sensitive actions. This is dangerous because a compromised, misaligned, or prompt-injected model can invoke destructive or data-exfiltrating tools directly, especially in a reusable agent framework intended to orchestrate external capabilities.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The test helper tool uses JavaScript eval on the supplied expression, which enables arbitrary code execution if the expression becomes attacker-controlled. Although this is in a test file with mocked inputs, agent-style tests often normalize unsafe patterns and can be copied into production code or exercised with untrusted model output during development.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
examples/react-example.js:42

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/react-agent.test.js:55