LYGO Champion: ARKOS — Celestial Architect

Security checks across malware telemetry and agentic risk

Overview

This skill is a persona helper with local hash/reference checks and no evidence of hidden control, data exfiltration, persistence, or destructive behavior.

Reasonable to install if you want the ARKOS advisory persona. Treat the linked LYGO-MINT Verifier as a separate package: review its permissions and behavior before using it for minting, ledger writes, or anchor generation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill declares itself as a passive persona helper, but it also appears to rely on reading local files such as references/canon.json and related materials without explicitly declaring that capability. Hidden or undeclared file access weakens transparency and can surprise operators, creating opportunities for unintended disclosure of local packaged data or for future expansion into broader filesystem inspection.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: There is a meaningful mismatch between the advertised behavior ('pure advisor; not a controller') and the detected operational behavior of inspecting local files, validating content against hardcoded expectations, and checking for a specific external URL. This undermines informed consent and trust boundaries: a user may invoke what seems like a harmless persona layer while actually triggering data access and integrity checks that were not clearly disclosed.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases are broad, imperative, and lack explicit authorization or scope checks, which can cause the verifier workflow to activate on loosely related requests or attacker-supplied content. In a persona helper context, this creates a prompt-surface where users or embedded text can induce hashing, ledger writes, or anchor generation without a clear trust boundary, increasing the risk of unintended processing or provenance stamping of untrusted material.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal