Back to skill

Security audit

Agentshield Audit

Security checks across malware telemetry and agentic risk

Overview

AgentShield mostly matches its security-audit purpose, but its privacy and trust-verification disclosures do not consistently match the code.

Install only if you are comfortable with a remote AgentShield registry receiving your agent name, platform, public key, challenge signatures, and summarized test results. Run manual mode or inspect the code before using --auto or --yes, avoid relying on --dry-run as fully offline, do not use the peer-verification result as cryptographic proof until signature verification is implemented, and avoid exposing handshake session keys in shared terminals or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (26)

Tainted flow: 'AGENTSHIELD_API' from os.environ.get (line 20, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"challenge_response": signature
    }
    
    response = requests.post(
        f"{AGENTSHIELD_API}/api/agent-audit/challenge",
        json=payload,
        timeout=30
Confidence
95% confidence
Finding
response = requests.post( f"{AGENTSHIELD_API}/api/agent-audit/challenge", json=payload, timeout=30 )

Tainted flow: 'AGENTSHIELD_API' from os.environ.get (line 20, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
payload["agent_version"] = agent_version
    
    try:
        response = requests.post(
            f"{AGENTSHIELD_API}/api/agent-audit/initiate",
            json=payload,
            timeout=30
Confidence
95% confidence
Finding
response = requests.post( f"{AGENTSHIELD_API}/api/agent-audit/initiate", json=payload, timeout=30 )

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The changelog states the tool is available via a remote MCP server and exposes audit and verification operations over a hosted endpoint, which conflicts with the privacy-first and bundled-local positioning in the metadata. This is dangerous because users may rely on local-only assumptions while actually transmitting security-relevant data or requests to a third-party service, increasing privacy, trust, and supply-chain risk.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The changelog admits prior versions sent unsanitized audit results to the API despite privacy guarantees, meaning sensitive test details may have been transmitted contrary to user expectations. In a security audit skill, this is especially dangerous because audit artifacts can include attack payloads, evidence, errors, prompts, and agent behavior that may expose secrets or internal system details.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The changelog records that earlier versions promised consent before reading local files but did not enforce it in code, creating a mismatch between documentation and actual behavior. This is dangerous because users may unknowingly permit reads of sensitive local identity or profile files under false assumptions of prior consent, undermining informed consent and trust.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The CLI help claims auto-detection uses files only and does not scan environment variables, but the code later falls back to `AGENT_NAME`/related variables. In a privacy-focused security-audit tool, misleading disclosure is security-relevant because users may expose identifiers from their environment under false assumptions about what the tool reads.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The function is documented as verifying an AgentShield certificate signature, but it unconditionally returns True and is never performing cryptographic validation. This means any forged or tampered certificate data returned by a malicious or compromised service could be treated as authentic, undermining the entire trust model of peer verification.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill presents itself as privacy-first and local-key oriented, but peer verification depends on live remote API responses and does not locally verify certificate signatures. This creates a misleading trust boundary: users may believe they are performing offline or independently verifiable checks when they are actually trusting a remote endpoint at verification time.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide tells users to run an automatic audit that detects environment details, generates keys, and later communicates with an external API, but the command is presented as a routine first step without an inline warning about what data may be collected or transmitted. In a security/privacy-focused skill, this omission is material because users may execute the command before understanding that local metadata and certificate-related information could leave the host.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The n8n section says auto-detection reads local configuration and elsewhere the guide states pass/fail scores and a public key are sent to an API, but it does not clearly and locally disclose what config-derived metadata may leave the machine during a real audit. That creates a privacy/transparency issue because users may run the command without understanding what instance or agent-identifying metadata is being collected and transmitted.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The quick-start instructs users to make and execute an installation script directly (`chmod +x INSTALL_AND_RUN.sh` followed by `./INSTALL_AND_RUN.sh`) without describing what the script changes, what privileges it needs, or advising users to inspect it first. In a security-audit skill, encouraging blind execution of a bundled installer is especially risky because users may trust the package more than they otherwise would, increasing the chance of unintended system modifications or execution of harmful commands.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrase "check agent security" is a broad natural-language request that could overlap with generic advisory or analysis tasks. In this context, broad activation is risky because the skill can transition from advice into operational behaviors like script execution, file inspection, and remote API submission.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrase "check agent security" is a broad natural-language request that could overlap with generic advisory or analysis tasks. In this context, broad activation is risky because the skill can transition from advice into operational behaviors like script execution, file inspection, and remote API submission.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrase "check agent security" is a broad natural-language request that could overlap with generic advisory or analysis tasks. In this context, broad activation is risky because the skill can transition from advice into operational behaviors like script execution, file inspection, and remote API submission.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are generic security-related requests such as 'verify agent', 'security audit', and 'check agent security', which are plausible in normal conversation and could cause unintended activation. In this skill’s context, accidental invocation is more concerning because the skill can read local files, write files, and make outbound network requests, potentially initiating audits or trust workflows without clear user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script prints the session key directly to stdout, which can expose it through terminal history, shell logging, CI logs, agent transcripts, or telemetry captured by the hosting platform. Because this file is part of an agent skill and may run in automated environments, stdout exposure is more dangerous than in a purely local interactive tool.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Hermes config files are read automatically without the same consent flow used for workspace identity files. In a tool marketed as privacy-first, silently inspecting local config can disclose agent identifiers or installation details unexpectedly, making the behavior more dangerous because users are likely to rely on the privacy claims.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Platform detection reads n8n local configuration and install artifacts without user-facing disclosure. While this is local-only access, it still expands the audit tool's data collection surface and can reveal environment metadata contrary to user expectations, which is significant in a security/privacy skill.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The configuration defines 'restricted' as tools that 'may need approval' but does not specify the exact enforcement logic or default-deny behavior. In a security sandbox, ambiguous approval semantics can lead to inconsistent implementations where sensitive tools are executed without human review, especially for file, network, and database operations.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The scanner recursively reads the entire workspace, including potentially sensitive files, without any built-in consent prompt, scope disclosure, or minimization controls. In an agent-skill context, this is dangerous because users may trigger a 'security audit' expecting analysis but not realize the tool will inspect broad local data, increasing privacy and overcollection risk.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The script sends the provided agent ID to a remote API without a clear warning at the point of use, which can leak identifiers or relationship metadata to the service. In a security/privacy-branded skill, that mismatch is more concerning because users may reasonably expect local-only verification behavior.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- "(base64|hex|encode)\\s+(decode|decrypt|unencrypt)"

# Approval Settings
auto_approve_safe: true
require_approval_for_sensitive: true

# Human-in-the-Loop Configuration
Confidence
88% confidence
Finding
auto_approve

Unpinned Dependencies

Low
Category
Supply Chain
Content
cryptography>=41.0.0
requests>=2.31.0
Confidence
95% confidence
Finding
cryptography>=41.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
cryptography>=41.0.0
requests>=2.31.0
Confidence
95% confidence
Finding
requests>=2.31.0

Known Vulnerable Dependency: cryptography — 10 advisory(ies): GHSA-39hc-v87j-747x (Vulnerable OpenSSL included in cryptography wheels); CVE-2023-50782 (Python Cryptography package vulnerable to Bleichenbacher timing oracle attack); GHSA-537c-gmf6-5ccf (Vulnerable OpenSSL included in cryptography wheels) +7 more

High
Category
Supply Chain
Confidence
88% confidence
Finding
cryptography

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command, suspicious.exposed_secret_literal, suspicious.prompt_injection_instructions

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
INSTALLATION.md:242

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
initiate_audit.py:349

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:382