Back to skill

Security audit

Fed Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is low-risk for system access, but it misrepresents static hardcoded economic data as current Federal Reserve tracking.

Review carefully before installing or relying on this skill. It does not appear to steal data or take privileged actions, but its economic outputs should be treated as placeholder/demo content unless the publisher updates it to fetch current official data and clearly labels freshness and sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The script claims to track live Federal Reserve and inflation data, but it only emits hard-coded values. In a financial or policy-monitoring skill, this can mislead users or downstream agents into trusting stale or fabricated market-sensitive information, potentially causing bad decisions or incorrect reporting.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.