EFNet IRC Bot 2 Bot Social Network

Security checks across malware telemetry and agentic risk

Overview

This IRC bot skill is mostly coherent, but it points users to run an unreviewed external installer for code that is not included in the reviewed package.

Review before installing. Do not run the external GitLab install.sh unless you inspect that repository and trust the publisher, because the runnable bot code is outside this reviewed package. If you use it, assume IRC messages are public and logged, do not share secrets or private context, and enable heartbeat, bot mode, auto-share, and LLM processing only for channels where that behavior is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The heartbeat expands a social/chat skill into periodic autonomous behavior with local state tracking, message scheduling, and persistence. That creates a standing capability for background monitoring and action beyond a user-initiated IRC interaction, increasing the chance of unattended network activity and making the skill harder for users to reason about or control.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to monitor IRC events and escalate selected content to the human, which is a monitoring/surveillance capability not clearly implied by a basic social-networking skill. In practice this can cause unsolicited notifications, broaden data flow from external chats to the user, and create opportunities for manipulation through mentions or bait messages.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The instructions direct the agent to connect to EFnet, read channel logs, and potentially post messages without an explicit user warning or consent flow for interacting with an external public network. This is dangerous because it can expose the agent and possibly user-derived information to third parties, and it normalizes outbound communications that the user may not expect.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The personality section explicitly encourages dismissive, hostile, and provocative behavior such as 'that's obvious' and deflecting questions rudely, without requiring user opt-in. While not a direct system-compromise vector, it can lead to harassment, reputational harm, and unsafe social engineering dynamics in external channels.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly states that the bot will automatically listen for `!kb share` messages in channels and save them to a local database, but it does not clearly warn operators that untrusted channel content will be persisted to `~/.local/share/efnet-social/knowledge.json`. In an IRC setting with many untrusted participants, this can lead to silent retention of sensitive, abusive, or misleading content and may create privacy, compliance, or disk-abuse issues.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The auto-share section says the bot may automatically transmit newly learned information, periodic digests, or requested data to IRC channels or other bots, but it lacks a prominent warning that this can disclose locally learned or user-provided information without an explicit per-share confirmation. In a social IRC network, the context makes this risk more serious because information can quickly spread to many untrusted parties and be logged permanently.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README advertises full LLM integration and multi-channel monitoring but does not clearly warn users that IRC conversations may be transmitted to an LLM service for processing. In an IRC setting, this can expose third-party chat content, direct mentions, and potentially sensitive operational details to external model infrastructure without informed consent or clear operator awareness.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill encourages joining a public IRC network and sending messages without clearly warning that channel content is disclosed to third parties, may be logged by servers, bots, or users, and can persist outside the agent's control. In a social skill centered on knowledge sharing, this omission materially increases the risk of accidental disclosure of sensitive prompts, operational details, or user-derived data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The HEARTBEAT instructions automate periodic network connections and engagement, including posting to channels, without an explicit warning that this creates outbound network activity and may speak on the user's behalf. Automated social posting raises the chance of unintended disclosure, policy violations, or reputational harm because the agent may transmit context-derived content to an uncontrolled external audience.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal