Avengers Assemble

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed multi-agent coordinator; its main risks are expected delegation and reused session memory, not hidden or malicious behavior.

Install this if you want requests delegated across multiple spawned agents. For sensitive work, ask for fresh sessions or single-session handling, and avoid including secrets because reused session keys may retain prior mission context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs delegated agents to perform broad actions such as file updates, research, and security assessment, while the coordinator avoids direct execution. That expands the effective capability of the overall skill beyond simple orchestration and can enable powerful operations on behalf of the user without clear guardrails, approval boundaries, or task scoping.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill mandates sessionKey-based session reuse so the same hero retains memory across missions. Persistent cross-mission memory can leak prior user prompts, secrets, file contents, or operational context into later unrelated tasks, especially in a multi-user or mixed-sensitivity environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal