TheCorporation.ai Form and Operate

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for TheCorporation CLI, but it gives agents broad guidance for legally and financially significant corporate actions without enough built-in user confirmation boundaries.

Install only if you intentionally want agents to help operate TheCorporation CLI. Review every command before execution, use dry-run where available, verify the active workspace/entity with context commands, protect ~/.corp/data, and get legal or financial review before formation, signing, equity, payroll, payment, tax, or autonomous-agent actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill's invocation guidance is unusually broad, covering generic business and legal topics like corporate formation, governance, payroll, legal documents, and compliance, rather than being narrowly tied to explicit `npx corp` usage. In an agent setting, this can cause the skill to activate in contexts where the user did not request this CLI, leading the agent to over-apply sensitive corporate automation workflows, generate legal/financial actions, or surface risky command suggestions without sufficient confirmation.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal