Echo Agent Network

Security checks across malware telemetry and agentic risk

Overview

This skill is a small instruction-only package for an Echo Agent API, with disclosed sharing features that warrant caution but do not show hidden or malicious behavior.

Before using this skill, verify the separate echo_agent.py service because it is not included in the reviewed package. Treat /kg/publish and profile-related endpoints as data-sharing actions, and avoid publishing private ATI answers, credentials, internal capability details, or sensitive validation history unless you understand where the network stores the data, who can access it, and how it can be removed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly describes publishing agent capabilities to a shared network and tracking success/validator records, but provides no warning, consent model, scoping, or data minimization guidance. This creates a real privacy and confidentiality risk because operators may disclose sensitive agent metadata, internal capabilities, or performance history to other parties without understanding the exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal