Acp Team

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed multi-agent coordination skill, with expected local task and message files and user-directed agent spawning.

Install only if you are comfortable with global npm tools and local `.team/` and `.tasks/` files in the project. Use explicit multi-agent prompts, keep secrets out of tasks and messages, monitor spawned agents, and shut down team members when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 97% confidence
Finding: The trigger list includes the standalone everyday word "team," which is overly broad and likely to cause unintended activation in many benign conversations. Because this skill can initiate multi-agent coordination and spawning workflows, accidental invocation could expose project context, create unwanted state changes, or launch higher-risk actions without the user specifically requesting this capability.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal