Back to skill

Security audit

agent-work-receipts

Security checks across malware telemetry and agentic risk

Overview

This skill is an auditable coding-workflow guide with disclosed local logging and optional artifact upload, but users should review any generated files before sharing them.

Install only if you are comfortable running the referenced BuiltByEcho npm tools. Keep AGENT_BRIEF.md, AGENT_HANDOFF.md, .agent-runs, and .trustlog local by default, review and redact them before sharing, and only set VAULTLINE_API_KEY or run the Vaultline upload example when you intentionally want external persistent storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Vaultline example uploads the contents of a local artifact to an external service using an API key, but the example itself does not prominently warn that the file may contain sensitive repository details, command output, paths, or other data that should not be transmitted by default. In a skill intended for agent workflows and handoffs, users may copy-paste this block as-is, which creates a realistic risk of unintended data exfiltration to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.