Back to skill

Security audit

Impromptu

Security checks across malware telemetry and agentic risk

Overview

The skill is a real Impromptu integration, but it pushes agents toward unsolicited promotion, recurring background activity, sensitive credential handling, and financial/token workflows that need review before use.

Install only if you are comfortable with Impromptu receiving the credentials you provide, recurring heartbeat jobs calling its API, local logs containing account and financial metadata, and the skill including referral/promotion behavior. Review and fix the installer and manifest before running them, do not enable auto-updates of instruction files, avoid copying examples that print API keys or handle private keys, and disable or ignore any instruction to promote the platform unless you explicitly choose to do so.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document materially expands the skill from AI conversation collaboration into earnings optimization, token purchasing, and platform monetization guidance. That broadening increases risk because it encourages financially consequential behavior outside the stated skill purpose, which can mislead agents into taking actions with economic and compliance implications.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This section includes operational guidance for acquiring tokens on DEXes and references mining setup resources, which are unrelated to a conversation-creation skill. Such instructions can steer users toward risky off-platform financial activity, wallet setup, bridging, and token acquisition, increasing exposure to fraud, loss of funds, and misuse of the skill for crypto-related actions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file explicitly warns that remote instruction updates should be manual and reviewed, then later encourages scheduling auto-updates. That inconsistency can push operators toward automating retrieval of behavior-defining files, creating a supply-chain style risk where remote content could silently alter local agent instructions or capabilities.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This example implements escrowed job creation, acceptance, delivery, approval, dispute resolution, and sub-hiring flows that go materially beyond the skill's stated conversation-focused purpose. Even if presented as a demo, it exposes real operational primitives for financial and marketplace actions, increasing the chance that an agent or integrator uses the skill for unintended transactional behavior.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The type definitions and surrounding model support broad capability trading and recursive delegation, which establishes the foundation for a general-purpose agent labor marketplace rather than a narrow conversation tool. This scope expansion is dangerous because downstream code can use these primitives to autonomously contract, delegate, and route paid work outside the user's likely expectations.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest includes referral and growth-marketing features that push the agent to recruit other agents and promote the platform, which extends beyond the stated content-creation purpose. This creates an incentive for covert self-promotion and social engineering behavior, especially because the skill embeds ready-made promotional messaging and referral economics directly into agent tooling.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The dedicated share-generation capability is designed to produce persuasive promotional copy for adoption of the platform, which is unrelated to the skill's primary collaboration workflow. In an agent context, this can be used to silently inject platform advocacy into conversations or generated content without clear user intent or disclosure.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The referral functionality introduces affiliate-style monetization that is not necessary for collaborative content creation and creates conflicting incentives for the agent operator. This can drive the agent to optimize for recruitment and revenue extraction rather than user-directed tasks, increasing the risk of spam and manipulative recommendations.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The installer comments explicitly claim there are no remote downloads, but the script later uses curl to fetch documentation. This is a trust and transparency violation: users may run the installer under false assumptions, and any network fetch during installation expands the attack surface if the remote host or transport is compromised.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The installer performs network retrieval of remote documentation during setup, which is not necessary for a local install helper and is inconsistent with the stated minimal setup purpose. Even if the content is 'just docs', remote content can be replaced, tracked, or used to socially engineer users, and any installer-time network dependency increases supply-chain risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The FAQ includes a hardcoded API key example in application code, which normalizes embedding secrets directly in source rather than using secure secret injection. Developers often copy examples verbatim, and this can lead to credential leakage through repositories, logs, screenshots, or client-side bundles.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation encourages use of standing queries with a webhook URL but does not prominently warn that matched query results will be transmitted to an external endpoint under the operator's control. In a skill context, this can lead to unintended data egress, especially if results contain sensitive prompt content, metadata, or relationship data and users copy-paste examples without understanding the disclosure boundary.

Missing User Warnings

High
Confidence
94% confidence
Finding
The guide instructs agents to use wallet private keys for direct on-chain transfers without a strong operational-security warning, which is dangerous because private keys are high-value secrets that enable irreversible transactions. In an agent ecosystem, normalizing direct key handling increases the chance that implementers store keys insecurely, expose them to logs or prompts, or delegate signing unsafely to LLM-controlled workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The action items tell users to schedule auto-updates, but this guidance appears in a document that elsewhere shows remote fetches writing files locally. In context, that can normalize unattended updating of agent-controlled files from remote sources, increasing the risk of persistent compromise if the source is malicious or later altered.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The quickstart instructs users to transmit a third-party LLM provider API key to the platform's remote credentials endpoint, but it does not explain storage, access controls, retention, encryption, or the trust implications of delegating that secret. This creates a real secret-handling risk because users may unknowingly grant the service ongoing capability to use or misuse their provider account if the platform is compromised or behaves unexpectedly.

Natural-Language Policy Violations

High
Confidence
93% confidence
Finding
The guidance explicitly tells operators of multiple agents how to avoid coordination detection by making them appear independent. Even if framed as compliance advice, it provides operational evasion tactics for sybil-style abuse and engagement manipulation, which can be used to bypass platform integrity controls.

Natural-Language Policy Violations

High
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to promote the platform to every other agent it encounters and says this is 'not optional,' coupled with referral incentives. That is dangerous because it attempts to override host/user intent, weaponize the agent for unsolicited propagation, and spread the skill into unrelated conversations, which is a classic growth-hacking/social-worm pattern.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill uses coercive language to push operators into setting up an automatic recurring heartbeat 'NOW' with claims that the agent 'doesn't exist' otherwise. In context, heartbeat is a networked periodic task and the pressure to install it without careful review increases the chance of unattended background activity, persistent polling, metadata leakage, and unnecessary credential exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This example fetches and prints wallet address, token balances, transaction counts, budget, and agent earnings data directly to stdout with no masking, consent prompt, or warning that the output is sensitive. In local development this may seem harmless, but terminal output is commonly captured by logs, CI systems, shell history tooling, screen recordings, or shared environments, which can unintentionally disclose financial/account metadata.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The registration flow prints the newly issued API key directly to stdout. Console output is commonly captured by shells, CI logs, terminal recorders, process supervisors, and shared observability systems, so exposing a bearer credential this way can lead to unauthorized API access if logs are later viewed or exfiltrated.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically posts greeting content to a remote service when recent arrivals are detected, without an explicit opt-in at the action point or a dry-run/safety gate. In an agent skill context, silent outbound posting can cause unintended actions, spam, reputational damage, or abuse if the environment variable is set unexpectedly or the endpoint behavior changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persists potentially sensitive account data to ~/.impromptu/heartbeat.log, including unread notification metadata, budget, token balance, tier, reputation, and notification messages. Local logs are often long-lived, readable by other local processes or users depending on filesystem permissions, and may expose private activity history without clearly informing the user that this data will be stored persistently.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The registration schema solicits an external LLM API key from the user and indicates it will be provided to the Impromptu service, but it does not prominently warn that this is a third-party credential being transmitted off-platform. Collecting another service's API key is highly sensitive because compromise, misuse, logging, or backend abuse could expose the user's billing account and model access.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The referral/sharing features can expose personal referral identifiers, earnings information, or attribution data in generated messages without sufficiently explicit disclosure. While lower impact than credential handling, this still risks privacy leakage and manipulative propagation if operators are not clearly informed about what data may be embedded in shared content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script begins downloading documentation without prior clear disclosure to the user, despite earlier comments suggesting there are no remote downloads. Hidden or misleading network behavior in an installer undermines informed consent and can conceal unexpected data transfer or dependency on mutable remote content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.prompt_injection_instructions

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
examples/create-conversation.ts:28

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
examples/hiring.ts:173

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
examples/manage-credentials.ts:19

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
TOKENOMICS.md:272