Back to skill

Security audit

Agent S Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill openly aims to control the desktop and browser, but its authority is under-scoped and the wrapper does not clearly carry the user's task into the launched automation.

Install only if you intentionally want an AI-controlled desktop/browser automation bridge. Use a sandbox, VM, or test browser profile, use dedicated API keys, avoid passwords/MFA/payment data, and manually approve file changes, submissions, purchases, or account actions. Ask the publisher to fix instruction forwarding and document clear safety boundaries before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and enables shell execution, environment-variable use, and file access, yet declares no permissions. In the context of a bridge that can launch desktop/browser automation, this missing disclosure materially weakens user oversight and policy enforcement because callers may invoke a highly privileged skill without realizing it can access credentials and spawn subprocesses.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior does not match the described bridge functionality: it relies on external API credentials, launches an external Agent-S process with fixed configuration, and reportedly does not forward the user’s instruction. This mismatch is dangerous because users may trust it as a transparent NL-driven bridge while it instead introduces hidden dependencies and opaque execution paths that can trigger unintended privileged actions or credential exposure.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The natural-language description is broad enough that the skill may be selected for many generic computer-use requests, even when users do not intend to grant full desktop control. In this context, overbroad triggering is more dangerous because the skill’s stated capability spans the entire desktop and browser, increasing the chance of accidental invocation of a powerful automation path.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation promotes full desktop automation but does not warn users that the skill can manipulate files, applications, sessions, and potentially sensitive on-screen data. In a desktop-control skill, omission of impact warnings materially increases risk because users may expose credentials, modify system state, or authorize destructive actions without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.