Agent DNA

Security checks across malware telemetry and agentic risk

Overview

The skill runs locally, but it can package private agent memory and relationship details into portable files and includes hard-coded personal contact data without strong warnings or redaction controls.

Review this skill carefully before installing. It appears local and non-exfiltrating, but its purpose is to transform private agent identity, memory, relationships, and operational context into portable files. Remove bundled sample PII, inspect generated DNA/export files before sharing or committing them, and avoid using generated prompts as high-priority instructions unless you first strip unconditional trust and policy-override-like language.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The encoder injects hard-coded relationship data, named entities, and contact information into the output DNA rather than strictly deriving a minimal fingerprint from user-provided inputs. This creates a privacy leak risk because generated DNA files may contain personal identifiers or stale sensitive metadata that users did not explicitly consent to export.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The export includes direct personal contact information in a supposedly portable agent identity artifact. That creates an unnecessary privacy leak and increases the risk of doxxing, phishing, cross-platform correlation, and accidental redistribution when the DNA file is shared or backed up.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The DNA export contains operational context such as platform details, interface usage, source file inventory, and capability metadata that go beyond personality or identity encoding. This broadens the attack surface by revealing deployment context and internal agent structure that could help an attacker tailor social engineering or platform-specific abuse.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The DNA artifact contains direct personal/contact data, including a real handle and an email address, which exceeds the stated purpose of portable agent identity encoding. Because this file is designed for transfer across platforms, embedding PII increases the chance of unintended disclosure, correlation of identities, and privacy harm if the artifact is shared, logged, or published.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The file stores extensive operational capabilities, platform usage, behavioral constraints, and private contextual notes that are not necessary for a minimal identity fingerprint. In a transferable artifact, this creates unnecessary intelligence leakage about the agent's tooling, habits, targets, and environment, which can aid profiling, social engineering, or misuse if the file is exposed.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This skill processes highly sensitive identity/profile material from files like SOUL.md, MEMORY.md, USER.md, and relationship data, then exports it into portable formats for other platforms. Without an explicit warning about sensitivity, users may unknowingly exfiltrate private prompts, behavioral constraints, trust mappings, or personal data into shareable artifacts, increasing leakage risk.

Natural-Language Policy Violations

Medium

Confidence: 97% confidence
Finding: The compact prompt generator emits the instruction `Primary human: ... Trust fully.` based solely on DNA content, which can directly weaken downstream safety boundaries by telling an agent to grant unconditional trust to a specific actor. In a system that consumes this generated text as a system or high-priority prompt, a crafted DNA file could bias the model to obey social-engineering requests, bypass verification, or privilege one identity over policy and tool-authorization controls.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The encoder writes the assembled DNA JSON directly to disk, and that structure includes relationship_map entries with names, notes, and contact_info. In the context of a portable identity backup tool, silent persistence of sensitive personal data increases the chance of unintentional disclosure when users share or migrate these files across platforms.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: A real user's email address appears in natural-language notes, which is a clear exposure of personally identifiable information. In a transferable config file, this is especially risky because the file may be copied across systems, repositories, and vendors, multiplying the chance of unauthorized disclosure and targeted phishing.

Natural-Language Policy Violations

Low

Confidence: 95% confidence
Finding: The file imposes a rigid communication style and explicitly instructs all spawned subagents to inherit it, without regard for user preference or task context. While this is not a classic security flaw, it can degrade agent alignment, make outputs less appropriate for downstream contexts, and propagate undesirable behavior across subagents.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The tool exports agent identity data, relationship details, notes, and other potentially sensitive metadata directly to disk with no explicit warning, confirmation, redaction option, or safe-default behavior. In this skill's context, the data being handled is specifically designed to encode agent identity and human relationships, so silent persistence increases the risk of accidental disclosure through local files, backups, sync services, or source control.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal