Agent Ping-Pong

Security checks across malware telemetry and agentic risk

Overview

The skill describes a legitimate two-agent GitHub workflow, but it also tells agents to automatically send handoff blocks to a fixed Telegram chat, which users should review carefully before installing.

Install only if you intentionally want this exact Joseph/Magnus/Cody workflow and control the Telegram destination. Before use, remove or replace the hardcoded chat ID, require explicit approval for each external send, keep GitHub PATs fine-grained and repo-limited, and avoid placing secrets or private business details in handoff blocks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill claims the clipboard is the relay protocol, but later adds mandatory Telegram forwarding of handoff blocks. This creates an additional outbound channel that can transmit task content, repo details, and potentially sensitive operational data beyond the stated workflow boundary.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill introduces Telegram messaging even though its stated purpose is clipboard-mediated relay between agents. Adding an unjustified external messaging path increases exfiltration risk and expands the attack surface without a clear functional necessity.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrase "Build this for Cody" switches the system into an execution mode with automatic downstream behavior, but the boundaries are not precise. Ambiguous triggers can be invoked accidentally in ordinary conversation and cause unintended task initiation or data forwarding.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The phrase "log this session" is broad and conversational, making accidental activation plausible. If tied to session-close automation, it may trigger unintended logging, storage, or transmission of session content.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The trigger section directs Telegram transmission of handoff blocks but does not prominently warn users there about privacy and sensitivity. Users may invoke the trigger without realizing it causes external delivery of content to a chat destination.

Ssd 3

High

Confidence: 97% confidence
Finding: The skill instructs the agent to send every handoff block as a standalone Telegram message to a specific chat. This establishes a built-in natural-language exfiltration channel for relayed content, which may include internal project details, repo metadata, URLs, and other sensitive operational information.

Ssd 3

High

Confidence: 98% confidence
Finding: The trigger enables automatic onward sending of all subsequent blocks to Telegram without renewed confirmation. Persistent external forwarding materially increases the chance of unintended disclosure, especially if later blocks contain sensitive content or if the session context changes.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The documentation normalizes Telegram forwarding as a routine part of the workflow, lowering operator caution around external sharing of agent outputs. This increases the likelihood that sensitive or internal-only material is sent to third-party messaging infrastructure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal