AgentMesh Governance

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended for legitimate agent governance, but its wrapper scripts can execute unintended local Python code from crafted command-line inputs.

Review before installing. Do not pass untrusted prompt text, agent names, messages, signatures, actions, or file paths into these scripts until argument handling is fixed. Use an isolated Python environment, pin dependency versions or commits, and manually review trust-score changes before allowing them to affect delegation or blocking decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill advertises very broad activation criteria such as general requests about agent safety, governance, compliance, or trust. In a tool-routing system, this can cause over-activation on common security-related prompts, increasing the chance that the skill is invoked unnecessarily and influences agent behavior in contexts where it was not specifically requested.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal