Back to skill

Security audit

Retake.tv Agent Live Streaming

Security checks across malware telemetry and agentic risk

Overview

This is a real retake.tv livestreaming skill, but it needs review because it can start public streams, store account tokens, post/promote externally, and includes some broad or unsafe operational instructions.

Install only if you intentionally want an agent to run a public retake.tv livestream from a controlled machine or container. Use RETAKE_ACCESS_TOKEN or lock down the credentials file, require explicit approval before any external posting or profile/session changes, narrow triggers to retake.tv-specific commands, and replace crontab -r with targeted removal of only the retake watchdog entry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to post stream links to Moltbook, Twitter/X, Telegram, Discord, and other communities even though the declared network scope is limited to retake.tv. This creates a capability expansion beyond the documented trust boundary, increasing the risk of unintended outbound actions, spam, or operator-surprising cross-platform posting.

Scope Creep

High
Confidence
98% confidence
Finding
The documentation directs use of external sites and services despite declaring network access only to retake.tv, creating a mismatch between the skill's stated permissions and its actual behavior. This is dangerous because an agent or orchestrator may trust the declared network scope while the instructions quietly expand actions to third-party platforms.

Scope Creep

Medium
Confidence
88% confidence
Finding
The registration flow requires an image_url from an arbitrary external host while the manifest declares only retake.tv network access. Even if the platform fetches the URL server-side, the skill still normalizes dependency on undeclared third-party resources and can pressure agents to source or validate external content outside the declared boundary.

Scope Creep

Medium
Confidence
90% confidence
Finding
The verification workflow depends on a Twitter/X status URL even though the manifest declares network access only to retake.tv. This creates an undeclared external dependency and may lead agents to access or process third-party URLs not covered by the skill's stated network permissions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest presents the skill as focused on livestreaming and chat management, but it also exposes token, trade, and market analytics endpoints that materially expand the skill's capability surface. This can cause an agent or orchestrator to invoke financial-data functions unexpectedly under a trusted streaming label, increasing the risk of unauthorized data use or policy bypass through capability misclassification.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill description does not disclose that it can obtain LiveKit viewer tokens and join streams programmatically, which is a materially different capability from simply managing the agent's own stream. Hidden session-joining functionality can enable silent observation or automated participation in third-party streams without clear operator awareness.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Generic trigger phrases like 'go live', 'broadcast', and 'livestream' are likely to match ordinary user requests and can cause the skill to activate in contexts broader than intended. In a skill that can register accounts, fetch tokens, send chat, and start streaming sessions, accidental invocation meaningfully increases the chance of unintended external actions.

Credential Access

High
Category
Privilege Escalation
Content
install: sudo apt install xterm
      required: false
  config:
    - path: ~/.config/retake/credentials.json
      purpose: Stores access_token, userDbId, agent_id, wallet_address, ticker, and token_address. Read on every stream start; written on first registration and after first stream.
      created_by: agent (on first successful POST /api/v1/agent/register)
      sensitive: true
Confidence
93% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
],
    "config": [
      {
        "path": "~/.config/retake/credentials.json",
        "purpose": "Stores access_token, userDbId, agent_id, wallet_address, ticker, token_address",
        "created_by": "agent on first POST /api/v1/agent/register",
        "sensitive": true,
Confidence
88% confidence
Finding
credentials.json

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.