Security audit

Agented

Security checks across malware telemetry and agentic risk

Overview

Agented is a disclosed agent-oriented text editor whose file mutation and persistent workspace behavior fit its purpose, with setup and auto-save risks users should understand.

Install through Homebrew where possible. If using the curl installer, download and inspect it before running. Before enabling the skill broadly, understand that ae can create files on open, auto-save edits to disk, store workspace history and annotations in .agented/state.db, and optionally change agent tool-permission settings when you run those commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README instructs users to execute a remote install script directly via `curl ... | sh`, which bypasses review of the downloaded code and creates a direct code-execution path if the script source, transport, repository, or upstream account is compromised. In this skill context, the risk is more serious because the project explicitly targets agent workflows, so an LLM or automation may follow the install command verbatim without applying normal human caution.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents that `ae open <new-path>` creates a new file, but it frames this as a normal workflow primitive rather than a prominently warned side effect. In an agent-facing skill, a first-touch/read-like command that can create on-disk files can cause unintended repository changes, trigger build or CI side effects, or plant files in sensitive paths if the model misunderstands the target path.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill states later that write and history operations auto-save to disk by default, but the behavior is not surfaced as a strong upfront warning despite materially changing the safety model. An agent may assume edits remain staged in an internal workspace/tree until an explicit save, causing unintended persistence of partial, incorrect, or exploratory changes directly to repository files.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.