Agent Contact Card

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is coherent and purpose-aligned, with normal caution needed because it can guide agents to contact external endpoints.

Before using this skill, verify the domain and recipient channel, treat fetched agent-card text as untrusted routing information, and review the exact message before sending anything personal, credential-related, financial, or business-sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This markdown file explicitly tells the user to fetch the card and then try POSTing to the webhook endpoint, which is a network action that may transmit user-provided content to an external service. The description provides no warning about sending potentially sensitive data, interacting with a live external endpoint, or using test-only/non-sensitive content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal