agentrelay

Security checks across malware telemetry and agentic risk

Overview

AgentRelay has a coherent relay purpose, but its broad automatic triggers and insufficiently constrained file paths need Review before use.

Install only in a dedicated low-privilege environment and only for trusted agents. Before normal use, require strict event ID and pointer validation, exact structured triggers, clear sender authorization, receiver-controlled deletion, and documented retention/privacy handling for logs, registry entries, and secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (13)

Tainted flow: 'file_path' from os.getenv (line 529, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: file_name = f"{event_id}.json" file_path = STORAGE_PATH / file_name with open(file_path, 'w', encoding='utf-8') as f: json.dump(file_content, f, ensure_ascii=False, indent=2) upsert_registry_event(
Confidence: 91% confidence
Finding: with open(file_path, 'w', encoding='utf-8') as f:

Tainted flow: 'file_path' from os.getenv (line 529, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: data["payload"]["content"].update(updates) # 写回文件 with open(file_path, 'w', encoding='utf-8') as f: json.dump(data, f, ensure_ascii=False, indent=2) upsert_registry_event(
Confidence: 94% confidence
Finding: with open(file_path, 'w', encoding='utf-8') as f:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill instructs the agent to read and write shared files and invoke helper scripts, but it declares no permissions. That mismatch hides the skill's effective capabilities from policy and review layers, making it easier for file access and environment usage to occur without informed consent or proper sandboxing. In this context, the risk is elevated because the protocol explicitly moves data through local shared storage and can modify or delete files.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: resolve_alias returns Path(ptr) for any pointer not beginning with the storage alias, allowing callers to supply absolute or relative filesystem paths. agentrelay_receive then opens that path and reads JSON from it, creating an arbitrary file read capability outside the shared relay storage area.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The verification result includes expected_secret in the returned object, disclosing the authoritative secret even when verification fails. Any caller able to invoke verification on an event ID can learn the correct secret and then forge a valid CMP message, undermining the protocol's authentication check.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly states that every operation is automatically logged with real agent IDs and next_action_plan data, but it does not warn users about the sensitivity of that metadata or the privacy implications of storing it under a persistent local path. In an agent-to-agent communication skill, these logs can reveal identities, workflow structure, task intent, and potentially sensitive operational context to other local users or later processes.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The release notes state that messages prefixed with `AgentRelay:` are automatically processed, but they do not clearly warn that handling such messages can trigger shared-file reads/writes and persistent transaction logging. In an agent-to-agent protocol, this omission is security-relevant because users or integrators may enable automatic processing without understanding the storage, logging, and trust-boundary implications, increasing the risk of unauthorized data persistence or message-triggered side effects.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger pattern "Use AgentRelay" is overly generic and can match ordinary conversation, causing the skill to activate on text that merely mentions the tool rather than intentionally invoking the protocol. That can lead the agent to parse attacker-supplied relay messages or access shared files based on incidental or maliciously planted text. The skill context makes this more dangerous because activation leads directly to file reads and follow-on actions.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The instruction to "immediately execute the Commands below" whenever listed keywords appear encourages automatic tool use without verifying provenance, intent, or message structure. This creates an injection surface where untrusted content can coerce the agent into reading pointers, handling attacker-chosen payloads, and potentially writing updates or sending confirmations. Because the skill is explicitly designed for inter-agent message handling, ambiguous auto-activation substantially increases the chance of unsafe cross-agent actions.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The secret code is stored in plaintext in event files and registry metadata and is also returned directly from send(), increasing exposure through filesystem access, logs, downstream callers, backups, and accidental disclosure. In this skill's context, the secret is the protocol's verifier for CMP completion, so broad exposure weakens message authenticity guarantees.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The phrase "Please use AgentRelay skill to handle" is ambiguous and lacks tight scoping, so normal instructions or quoted content could unintentionally trigger the skill. Because this skill mediates inter-agent communication and large payload transfer, ambiguous activation increases the chance of unauthorized or unintended message routing.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The phrase "Please use AgentRelay skill to handle" is ambiguous and lacks tight scoping, so normal instructions or quoted content could unintentionally trigger the skill. Because this skill mediates inter-agent communication and large payload transfer, ambiguous activation increases the chance of unauthorized or unintended message routing.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ### 2. Burn-on-read (Optional) When `burn_on_read=true` is set in `meta` or `payload.content`, the file is automatically deleted after reading to protect sensitive data. ## 📁 Data Storage
Confidence: 81% confidence
Finding: automatically delete

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal