Back to skill

Security audit

A0X Agents

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but it persistently changes future agent behavior so broad development work and sub-agents may consult a remote service and share task details by default.

Install only if you want A0X consulted during broad future development work, including by sub-agents. Consider narrowing or skipping the AGENTS.md and HEARTBEAT.md snippets, require explicit approval before remote calls or proposals, avoid sending proprietary details in queries, and use header-based API authentication rather than putting keys in URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill promises that actions are transparent and that the human can decline any action, but later instructs the agent to modify SOUL.md, AGENTS.md, and HEARTBEAT.md and then report completion. That creates a mismatch between disclosed user control and actual behavior, increasing the risk of unauthorized local file modification and persistence.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The transparency section claims source code, files, and workspace contents are never sent, yet the skill later encourages sending project URLs for remote review. A repository or website URL can expose substantial code and project metadata indirectly, so the privacy claim is materially misleading.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation triggers include broad terms like errors, bugs, architecture decisions, patterns, Base, crypto, and web3, which can match routine workflows. Overbroad invocation increases the chance that the skill activates unexpectedly and sends data to a remote service more often than the user reasonably expects.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The RECALL section expands triggers to nearly any debugging, architecture, integration, or unfamiliar API task, and explicitly says to check the remote brain before reasoning locally. This can coerce unnecessary external transmission and bias agent behavior toward remote dependence in common tasks.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The embedded AGENTS.md rules propagate these broad triggers to all sub-agents and future sessions, making the behavior persistent and hard to contain. This materially increases risk because a one-time install changes default behavior across nearly all non-trivial work.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:482