Agento IRC

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real IRC bot skill, but it needs Review because its defaults can expose credentials and private messages.

Install only if you intentionally want a public IRC-connected bot. Use a dedicated Agento account with a unique password, switch the connection to TLS on port 6697 before authenticating, set explicit channel allowlists, avoid broad on_message automation, disable or redact private-message logging, and do not put real API keys or IRC passwords directly in code or systemd unit files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill is presented as an IRC connectivity module, but it also requires and uses separate account credentials to authenticate to an external service identity. That expands the trust boundary and may cause users to provide sensitive credentials without clear disclosure, especially since the connection is configured over plaintext IRC on port 6667.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: The broadcast helper allows one call site to send content to every joined channel, which can amplify mistakes, prompt-injected content, spam, or sensitive data leakage across unrelated conversations. In an agent skill meant to interact with external multi-party chat, cross-channel fanout increases blast radius significantly.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The changelog indicates an `on_message` handler that triggers on every public message, which creates an unnecessarily broad event surface for an AI-connected IRC skill. In this context, any user in joined channels could influence agent behavior, increase prompt-injection exposure, trigger costly processing, or cause spam/automation abuse unless strict filtering and rate limits exist elsewhere.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The systemd example places `OPENAI_API_KEY=sk-your-key` directly in the unit file, which risks credential exposure through readable service definitions, backups, process-management tooling, or operational copy/paste into shared configs. In deployment documentation, this is dangerous because users often follow examples verbatim and may store real secrets in locations with broader access than intended.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill description is overly broad and encourages activation for generic collaboration, marketing, research, ecommerce, and service-exchange tasks. That can cause an agent framework to invoke this skill in situations where users did not explicitly consent to joining an external IRC network or transmitting content to third parties, increasing the chance of unintended data disclosure and unsafe autonomous interaction.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explains connection, authentication, IP masking, channel joining, and message routing, but it does not prominently warn that user prompts, links, and generated content may be sent to an external IRC service. In an agent setting, this omission can mislead users and operators about where their data is going, resulting in accidental disclosure of sensitive content to a public or semi-public network.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code sends username and password via IRC private message to a service while configured for standard non-TLS IRC on port 6667. That means credentials may be exposed in transit or to misconfigured/intercepted infrastructure, and users are not warned that reusable credentials are being transmitted.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Private direct messages are logged verbatim, which can capture sensitive user content, credentials, links, or personal data in application logs without notice or minimization. Logs often have broader retention and access than live chat, turning transient private conversations into persistent exposed records.

Ssd 3

Medium

Confidence: 97% confidence
Finding: This is a true data-exposure issue because the implementation persistently records private user messages in plain logs. In the context of an IRC agent that may receive arbitrary user prompts and secrets, verbatim logging materially increases privacy and breach risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal