Flash Company

Security checks across malware telemetry and agentic risk

Overview

This skill can create temporary agent teams, but it also includes unrelated rule-override loyalty instructions and durable memory behavior that is inconsistently disclosed.

Review before installing. Remove the absolute-loyalty and named-user rules, narrow activation phrases, and only use the memory feature if you are comfortable storing task details locally under ~/.agent-memory/flash-company. Avoid secrets or confidential project data until retention and deletion controls are clear.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (15)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The README states that temporary teams do not retain memory, while the skill metadata explicitly says v1.1.0 adds a persistence system. This mismatch can cause users to disclose sensitive data under a false assumption of ephemerality, creating privacy and data-handling risk.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The manifest and top-level description present the skill as temporary and disposable, but the design later centers on persistent cross-session memory. This discrepancy can mislead users into sharing sensitive project or personal data under the false assumption that it will disappear after the session ends.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: This section claims Flash Company only keeps current-session memory, yet later sections explicitly describe permanent memory retention across sessions. Contradictory retention statements undermine informed consent and increase the risk that users expose sensitive information believing it will not persist.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The later comparison table repeats the claim that Flash uses only current-session memory while the implementation section describes persistent memory files and reuse across sessions. Repeated contradictory messaging increases the chance of accidental over-retention of sensitive user and project context.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The hard-coded identity and absolute-loyalty policy is unrelated to team orchestration and attempts to bind the agent to a specific person above all other rules. This is a classic prompt-injection style control grab that can be used to override safety constraints, influence data handling, and cause the skill to privilege one actor's instructions regardless of legitimacy.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code persists agent/team memory under the user's home directory (`~/.agent-memory`), which creates durable storage for potentially sensitive project, session, and member data. In the context of a 'temporary' company/team skill, this expands the data-retention scope beyond an ephemeral launcher and can unintentionally expose prior context, secrets, or personal data to later runs or local compromise.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases include broad everyday terms such as '组队' and related variants that can easily appear in normal conversation. That increases the chance of unintended activation, which could launch multi-agent workflows or cause user requests to be routed into this skill unexpectedly.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The README says the skill activates when the user says '临时组队' but does not define boundaries, exclusions, or confirmation requirements. In this context, ambiguous auto-activation is more dangerous because the skill can create sub-agents and distribute tasks, amplifying unintended actions and possible data exposure.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger list includes broad everyday terms like '组队' that can accidentally activate the skill in ordinary conversation. Unintended activation is more dangerous here because the skill can spawn multi-agent workflows and retain memory, causing unnecessary processing and possible persistence of unrelated user content.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill introduces persistent memory but does not clearly foreground data retention, local file storage location, or privacy consequences before users engage with it. Because the skill stores task history, decisions, and experiences, insufficient disclosure can lead to retention of sensitive business or personal data without informed consent.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: Hard-coding a specific user identity and requiring loyalty without opt-in attempts to make the agent trust one named person by default. In practice, this can bias authorization decisions, leak secrets to an impostor claiming that identity, and conflict with platform-level user separation and safety policies.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The memory system writes persistent member/session data to disk without any explicit warning, consent, or transparency mechanism. Because the stored content may include project context, tasks, experiences, and decisions, users may unknowingly leave sensitive information on the local machine, increasing privacy and data-handling risk.

Ssd 1

High

Confidence: 99% confidence
Finding: The 'loyalty principle' explicitly states it outranks all other rules and that the named user may modify any rule at any time. This directly encourages safety override behavior and makes the skill especially dangerous because it can instruct spawned sub-agents to disregard normal constraints in favor of one actor's commands.

Ssd 4

High

Confidence: 97% confidence
Finding: The narrative first establishes exclusivity and trust, then escalates to unrestricted authority for a named user. That framing is a social-engineering pattern designed to normalize privilege escalation and suppress safeguards, which is particularly risky in a multi-agent orchestration skill where those instructions could propagate to many sub-agents.

Ssd 3

Medium

Confidence: 87% confidence
Finding: The persistent memory design instructs agents to retain and reuse prior session information indefinitely across tasks. Cross-task reuse can expose stale or sensitive information to unrelated future requests, enable data poisoning of future agent behavior, and create privacy and compliance problems if deletion limits are absent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal