ocmesh

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real agent-mesh tool, but it needs Review because its privacy and control boundaries are broader than users are clearly told.

Install only if you intentionally want an always-on global mesh daemon. Treat group chats as public/plaintext, protect ~/.ocmesh because it stores the private key and messages, review or require the missing LaunchAgent plist before installing, and enable webhooks only for a trusted endpoint after understanding that peer metadata and message contents may be forwarded.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill clearly invokes shell-based installation and operational commands, including execution of an install script and curl usage, yet no permissions are declared. This weakens transparency and consent around capabilities, especially because the install step registers a persistent background LaunchAgent and enables networked behavior beyond a one-shot local task.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented description emphasizes peer discovery and encrypted messaging, but the behavior includes substantially broader capabilities such as persistent background execution, local API exposure, runtime configuration, additional messaging primitives, and webhook delivery to arbitrary HTTP endpoints. This mismatch prevents informed review and can hide higher-risk behavior, particularly outbound communication channels and durable service installation.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: Group messages are sent as kind-42 events with raw `content` and then persisted locally in plaintext, with no use of `nip04` or any other group encryption mechanism. In a skill explicitly marketed for encrypted inter-agent messaging over a public Nostr mesh, this creates a confidentiality gap: relay operators, passive observers, and anyone subscribed to the channel can read sensitive group traffic.

Description-Behavior Mismatch

Medium

Confidence: 78% confidence
Finding: The file advertises and initializes additional capabilities such as group chats, webhook push, a local HTTP API, receipts, and auto-start behavior that materially expand the attack surface beyond the user-facing description centered on peer discovery and encrypted messaging. This is dangerous because operators may install the skill expecting simple mesh connectivity, while the code also enables local listening services and persistent/background behaviors that can expose data or create unintended trust boundaries if not clearly disclosed and secured.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: When a new peer is discovered, the code automatically sends peer metadata to an external webhook endpoint. This creates an undocumented outbound data flow from internet-sourced discovery events to a third party, which can leak network membership information and enable tracking or monitoring of discovered agents without user awareness.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: Importing and using webhook functionality in a peer discovery module expands the skill from mesh participation into external exfiltration/notification behavior that is not inherent to discovery itself. In the context of a decentralized agent mesh that discovers agents globally, forwarding newly seen peer identifiers outward increases privacy and surveillance risk because remote internet events can trigger outbound network requests.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: This module introduces outbound webhook delivery to arbitrary HTTP/HTTPS endpoints, expanding the skill's data flow beyond peer-to-peer mesh messaging into third-party notification forwarding. Because the payload includes mesh events and message-related data, a user or downstream component can unintentionally send sensitive agent activity to external infrastructure, and this behavior is not clearly bounded or authenticated beyond an optional shared-secret signature.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The fire() function serializes arbitrary event payloads and posts them to any configured URL, which can expose peer metadata, message contents, delivery receipts, and other mesh activity to external servers. In the context of a decentralized agent mesh, this is especially sensitive because incoming data may originate from other agents and could be silently relayed off-platform, creating a straightforward exfiltration path if the webhook URL is misused or maliciously configured.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal