Back to skill

Security audit

Voidly Agent Relay

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it needs review because its broad end-to-end encryption claims conflict with its Python SDK behavior and it exposes broad extra MCP tooling.

Review the privacy model before installing. Use the JavaScript SDK if you require relay-blind end-to-end encryption, treat the Python SDK as exposing plaintext to the relay during encryption, verify the external npm/pip/npx packages, protect exported credentials and API keys, and only enable webhooks or MCP tools you actually need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill markets itself as end-to-end encrypted and relay-blind, but the Python SDK documentation explicitly says the relay performs server-assisted encryption and briefly sees plaintext. That is a material contradiction in the security model that can cause users to send sensitive data under a false assumption of E2E confidentiality.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The trust-model section states the relay cannot see message plaintext and frames the service like Signal, yet later documentation admits the Python SDK allows the relay to see plaintext during encryption. This inconsistency is security-relevant because users may rely on the stronger statement for threat modeling, compliance, or secret-handling decisions when it is not universally true.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The API reference exposes 27 censorship-intelligence tools that are materially outside the declared purpose of an encrypted agent relay. This scope expansion increases the likelihood of undisclosed data access, surveillance-oriented usage, and user/operator misunderstanding about what the skill can do, especially because these capabilities are bundled into the same skill surface.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Censorship-intelligence analysis functions are unjustified within the context of an encrypted relay skill and create a capability mismatch that can facilitate reconnaissance, targeting, or covert intelligence gathering under the guise of secure messaging. The mismatch is particularly dangerous because users may grant trust or deployment access based on the benign messaging description while unknowingly enabling unrelated intelligence tooling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.