AI Agent Training Manual

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable agent training manual, but it teaches agents to look for credentials and create persistent automation with too little scoping or user control.

Review before installing. Use it only in a controlled workspace, and override the parts that tell agents to search broadly for tokens, expose public document links, delete setup files, or create cron jobs. Require explicit user approval for credential access, external sharing, outbound messages, persistent memory, file deletion, and recurring automation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Low

Confidence: 90% confidence
Finding: The manual explicitly instructs agents to store and read sensitive files such as USER.md and MEMORY.md, and even notes that MEMORY.md contains private information. In an onboarding skill, this normalizes persistent collection and retrieval of user-sensitive context without clear minimization, consent, retention limits, or access controls, which can lead to privacy leakage across sessions, subagents, or unintended contexts.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guidance instructs the agent to persist corrections, learned information, and decisions to local files before replying, but it provides no filtering rules for secrets, personal data, or sensitive user content. In practice, this can cause unnecessary retention of confidential information and make later accidental disclosure more likely through logs, memory files, or subsequent prompts.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill recommends broad filesystem searches such as finding JSON files and grepping for tokens, which normalizes credential hunting during routine work. Even if intended to reuse existing configuration, this can expose secrets from unrelated locations, violate least-privilege principles, and increase the chance that credentials are copied, surfaced to users, or stored elsewhere.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guidance explicitly tells agents to set Feishu documents to publicly accessible for external sharing, but it does not require checking data sensitivity, least-privilege alternatives, expiry, or recipient-specific access controls. In a training manual for new agents, this normalizes broad public exposure and can easily lead to unintended disclosure of internal or personal information through link sharing.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The Git section instructs users to inspect remote URLs and notes that tokens may be present there, but it does not warn against exposing, logging, or echoing those credentials. In practice, agents following this advice may print secrets into chat, screenshots, logs, or terminal history, creating avoidable credential disclosure risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The checklist explicitly instructs deleting `BOOTSTRAP.md` as part of onboarding, but provides no caution, backup guidance, or verification step. In an agent-training context, this can lead to irreversible loss of initialization instructions, provenance, or safety-relevant setup material if followed automatically or prematurely.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The checklist directs the user/agent to configure recurring cron jobs for heartbeat, backups, and review tasks without documenting operational impact, approval requirements, or safeguards. Scheduled automation creates persistent system changes and can trigger unintended background activity, especially in shared or sensitive environments.

Ssd 3

Medium

Confidence: 97% confidence
Finding: Encouraging an agent to search the filesystem broadly for existing tokens creates a direct path to collecting sensitive credentials during standard workflow. In a training manual for new agents, this is more dangerous because it teaches insecure behavior as a default operational pattern rather than as an exceptional, controlled recovery procedure.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The WAL-style instruction to record all corrections, learned information, and decisions encourages blanket persistence of conversation-derived data. Without sensitivity classification or redaction requirements, the agent may retain private user details, access information, or confidential business context and later reuse or reveal it unintentionally.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal