Security audit

agent-governance

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable educational skill about agent governance patterns, with no hidden installation behavior or unauthorized runtime access.

Reasonable to install as reference material. Treat the included Python snippets as examples, not production-ready compliance controls; harden audit durability, failure handling, policy composition semantics, and tests before using them for sensitive or regulated agents.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The govern decorator executes the protected tool and then performs audit logging inside the same try block. If audit_trail.append fails after the tool has already run, the wrapper raises an exception to the caller even though the side effect already occurred, creating inconsistent enforcement and violating the stated fail-closed principle for governance controls.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.