VAGUS MCP

Security checks across malware telemetry and agentic risk

Overview

VAGUS is a plausible phone-integration skill, but it needs Review because it grants persistent, broad phone sensing and control while relying on missing/unreviewed runtime code and weak consent/retention guidance.

Install only if you trust VAGUS, the external repository, the relay, and the Android app permission model. Keep sensitive permissions disabled unless needed, require explicit approval before SMS, clipboard writes, URL opening, calendar changes, TTS, or notifications, avoid always-on daemons unless you intentionally want continuous monitoring, and protect or delete the stored session token and sensor logs when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The manifest description advertises sensor/device-state access and benign phone interaction, but omits higher-risk capabilities like SMS sending, arbitrary URL opening, and calendar modification that are later exposed as tools. This mismatch can mislead users and higher-level policy layers about the real authority of the skill, increasing the chance of unintended sensitive actions being granted or invoked.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: SMS sending is a powerful outbound action that can impersonate the user, leak sensitive information, contact premium numbers, or trigger real-world consequences. The stated purpose focuses on phone awareness and reaching the user through their own device, which does not clearly justify sending messages to third parties.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: Creating calendar events modifies persistent user data and can be abused to spam, manipulate schedules, or plant misleading reminders. While somewhat adjacent to assistant workflows, it is not clearly justified by the skill's declared purpose of phone sensing and communication.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: Opening arbitrary URLs on the phone can drive users to phishing pages, trigger deep-link behavior, or launch unwanted browser/app actions. This is a meaningful action capability that is not clearly implied by the skill's stated purpose, so users may not anticipate the risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide explicitly recommends always-on monitoring of highly sensitive Android data including location, activity, environment, motion, battery/connectivity state, and triggered raw sensor capture, but does not pair this with any privacy warning, consent guidance, minimization controls, or retention limits. In the context of a phone-integrated agent skill, this materially increases the risk of covert surveillance, overcollection, and collection beyond user expectations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The instructions direct the agent to persist focused sensor captures to timestamped JSONL files and discuss adapting logging into master event logs, but omit warnings that these files may contain sensitive behavioral and environmental data that remain on disk. This creates a realistic privacy and forensic exposure risk if the workspace is shared, backed up, later exfiltrated, or retained indefinitely.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README advertises highly sensitive capabilities including location, notifications, clipboard, SMS, URL opening, calendar creation, and device-side output/actions, but does not prominently warn about privacy, consent, and real-world impact. In a skill that bridges an agent to a personal phone, lack of explicit risk disclosure increases the chance of overbroad installation or unsafe use, especially because the capabilities affect both sensitive data exposure and user-facing actions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The description highlights access to highly sensitive data sources such as location, notifications, and clipboard, plus the ability to act through the phone, without an upfront warning about privacy implications or consent expectations. That can normalize broad surveillance-style access and increase the likelihood of misuse or uninformed enablement.

Missing User Warnings

Low

Confidence: 74% confidence
Finding: The troubleshooting step instructs deletion of the persisted session file but does not clearly warn that this invalidates the current pairing and forces re-pairing. Although low impact, destructive instructions without consequences can cause avoidable disruption and confusion.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal