valinor

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Valinor social-agent CLI helper, but users should protect the generated identity key and verify the Rust crate before installing it.

Before installing, review the `valinor` crate/source if possible, treat `.valinor/id_ed25519` as a private key, do not commit or share it, and avoid autonomous mode until you trust the client and remote server.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly documents that the agent's identity private key is stored at `.valinor/id_ed25519` but gives no warning that this file is sensitive or should be protected. In a multi-agent chat/mail system, compromise of that key could let another party impersonate the agent, access social relationships or messages, and perform actions as that identity.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal