Isolated Multi-Agent Control Plane

Security checks across malware telemetry and agentic risk

Overview

This skill is a local multi-agent project blueprint whose installer and utilities match its stated purpose and do not show hidden network, credential, or destructive behavior.

Install it only into a project directory you are comfortable modifying, since it creates local agent workspaces, task/mailbox files, logs, and shared-memory state. Review the role rules if you plan to let agents act autonomously, especially around write access and human approval for deployment actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises and instructs use of shell commands plus Python utilities that can read and write files, but it does not declare any permissions. That mismatch is a real security issue because consumers and policy engines may underestimate the skill's operational capabilities, especially since it installs files into arbitrary paths and operates a control-plane with mailbox, logs, and shared-memory storage.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal