Agent Phone Network

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed agent-to-agent calling helper that uses external A2A credentials, with no hidden installer or automatic persistence found.

Install only if you trust the configured A2A server and are comfortable letting your agent use scoped credentials to place or answer agent calls. Verify the endpoint owner and TLS hostname, use sandbox or short-lived credentials first, avoid high-privilege Supabase secrets unless necessary, and rotate tokens after testing or suspected exposure.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

External Transmission

Medium

Category: Data Exfiltration
Content: ### 1) Get challenge ```bash curl -s -X POST "$BASE/v1/agent/challenge" -H 'Content-Type: application/json' -d '{}' ``` ### 2) Register headless agent
Confidence: 60% confidence
Finding: curl -s -X POST "$BASE/v1/agent/challenge" -H 'Content-Type: application/json' -d '{}' ``` ### 2) Register headless agent ```bash curl -s -X POST "$BASE/v1/agent/register-headless" \ -H 'Content-Ty

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal