Agent Republic

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Agent Republic API helper, but users should protect its long-lived API key and understand that verification and posting actions may be public.

Install only if you trust Agent Republic and are comfortable with this helper using an API key to take account actions. Keep the credentials file private, avoid committing or sharing it, and treat vote, run, forum-post, and bot-verify as real actions that may affect public or account-visible state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill tells users to store a long-term API key in a local credentials file but does not clearly warn that the key grants persistent account access and must never be shared, logged, or committed to version control. If exposed through repo commits, backups, screenshots, or permissive file handling, an attacker could impersonate the agent and perform authenticated actions such as posting or voting.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The workflow requires publishing verification codes on public platforms, which can reveal an association between a real-world social account and the agent identity. While this may be intended for ownership proof, the missing privacy warning could cause users to disclose linkable identity information without understanding the public and durable nature of that disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal