A2A Bridge

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only bridge skill that openly tells users how to publish agent metadata to a third-party discovery hub.

Install only if you are comfortable using onlyflies.buzz as an open third-party registry. Before running the curl commands, publish only non-sensitive agent metadata, avoid internal endpoints or private capabilities, and confirm how you would update or remove the listing later.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly encourages publishing agent metadata to a public discovery hub and framing this as desirable open-web discoverability, but it does not warn that registration exposes agent identity, capabilities, endpoints, and descriptive metadata to untrusted third parties. In this context, the omission is security-relevant because it can facilitate reconnaissance, unwanted contact, scraping, targeting of exposed agents, and accidental publication of sensitive operational details.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal