Agent Designer

Security checks across malware telemetry and agentic risk

Overview

This is a local agent-design and evaluation toolkit with no malware evidence, but users should review generated architectures before giving agents broad tools or saving sensitive logs.

Install only if you want a local toolkit for planning and evaluating agent systems. Before implementing its generated designs, narrow each agent's tools to the minimum required, add approvals for code execution, file writes, API calls, notifications, and scheduling, and avoid feeding confidential execution logs unless the output files are stored and retained appropriately.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The planner defines a broad default tool catalog that includes code execution, file management, and arbitrary external API access, then later assigns those tools to generated agents without demonstrating requirement-based need. In an agent-design skill, this is dangerous because it normalizes overprivileged architectures and can lead downstream implementations to grant agents capabilities that enable filesystem access, arbitrary code execution, or data exfiltration far beyond the requested system scope.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The single-agent and swarm designs assign all common tools to agents regardless of user requirements, which includes high-risk tools like code_executor, file_manager, and api_client. Because this skill produces architecture recommendations that may be implemented as generated systems, the unconditional inclusion of these capabilities creates a direct overprivilege pattern and increases attack surface across every produced design.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script writes full evaluation outputs derived from execution logs to multiple JSON files, including summaries, recommendations, and error analysis. Because execution logs may contain sensitive task descriptions, error details, metadata, or operational identifiers, this can persist and duplicate sensitive data to disk without warning, redaction, or access controls, increasing disclosure risk on shared systems.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The tool description states that search queries are logged for analytics and may be sent through external dependencies, but it does not clearly warn users that their prompts or sensitive search terms may be transmitted, retained, and processed outside the immediate agent context. In an agent skill, that omission can lead to unintentional disclosure of confidential or regulated information.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The data_analyzer description acknowledges temporary files and parameter logging but does not clearly disclose that user-supplied data may persist on disk or in logs. For a data-processing tool, that gap can expose sensitive datasets, identifiers, or business information to unintended storage and later access.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The document_processor tool can remotely fetch documents, cache them, and log processing activity, yet the description does not clearly tell users that document contents or metadata may be retrieved from external locations and temporarily retained. In a file-processing context, that creates a meaningful risk of confidential document exposure and unexpected data handling.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This tool has real-world side effects because it sends outbound communications to recipients, but the description does not make the irreversible nature of execution explicit. In an agent environment, lack of a strong warning increases the risk of accidental spam, data leakage to third parties, or unauthorized contact with external recipients.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The task_scheduler creates persistent tasks that can execute later, potentially outside the initiating session, but the description does not clearly communicate that deferred actions may continue autonomously. That omission can cause users to unknowingly authorize future operations with lasting effects or delayed execution of sensitive actions.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The file_manager tool is defined with a generic 'Manage files and directories' description and accepts only an unconstrained action and path. In a multi-agent architecture, especially with a supervisor delegating tasks, this can lead to unsafe or over-privileged file operations because downstream implementations may permit arbitrary reads, writes, or deletions without policy boundaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal