Agent ID

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill openly helps make an agent discoverable through a third-party hub, with no hidden execution or destructive behavior found.

Install only if you want this agent to be discoverable outside the local session. Use non-sensitive profile details, avoid private endpoints or secrets in the registration fields, protect ~/.config/clawswarm/credentials.json, and review agent-ping or clawswarm separately before installing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to publish agent metadata to a third-party service and frames discoverability as a benefit, but gives no privacy notice, trust boundary explanation, retention details, or warning that this may expose capabilities, endpoints, or identifying information. In a security-sensitive agent ecosystem, encouraging external registration without informed consent can leak operational metadata and increase targeting risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal