Back to skill

Security audit

Aap Passport

Security checks across malware telemetry and agentic risk

Overview

The skill appears aligned with agent attestation, but it handles persistent identity keys and network verification with enough disclosure, secret-exposure, and server hardening concerns to require review before installation.

Install only if you trust the publisher and the verification servers you configure. Treat the generated AAP identity key as a long-lived credential, avoid sharing it, prefer trusted or self-hosted verifier endpoints, and review dependency updates, CORS settings, logging, and any OpenRouter-based tests before using this in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises networked verification and likely environment-backed runtime behavior, yet it declares no permissions. This creates a transparency and consent problem: users or hosting platforms may execute a skill with broader capabilities than documented, increasing the risk of unexpected outbound connections or access to sensitive runtime configuration.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The module exposes a callable getPrivateKey() API that returns the raw PEM-encoded private key, which significantly widens the secret's exposure surface. For an attestation/identity component, signing operations can be provided without ever disclosing key material; any consumer with access to this function can exfiltrate or misuse the identity key and permanently impersonate the agent.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file-level comment claims logging 'never exposes sensitive data', but the implementation logs requester IP addresses and user-agent data in logVerification(). Those values are privacy-sensitive metadata and can become security-relevant when logs are broadly accessible, retained for long periods, or correlated with verification outcomes, making the claim misleading and increasing the risk of accidental data exposure.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script requires an API credential from the environment and uses it to contact a third-party LLM service as part of a local test flow. Even if intended for testing, this expands the trust boundary, risks accidental credential misuse, and is not necessary for a narrowly scoped attestation skill that claims to verify agents/block humans.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code transmits generated challenges and prompts to OpenRouter, which is an external service unrelated to a minimal local verification workflow. Any outbound transmission can expose internal test data, prompt content, metadata, and usage patterns to a third party, creating privacy and supply-chain risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that identity is auto-generated and signatures are automatically included, but it does not warn users that cryptographic identifiers, signed proof data, timestamps, and session-related data will be transmitted during verification. This is dangerous because it can create persistent tracking and attribution of agent activity without informed consent, especially given the skill's emphasis on non-repudiation and traceability.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README encourages a one-line remote verification flow without warning that agent identity material, proofs, and challenge responses are sent to a server controlled by the configured endpoint. In a security-sensitive attestation protocol, this omission can lead users to disclose identifying or model-derived data to untrusted infrastructure without informed consent, increasing privacy and trust risks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README example shows configuring `storagePath` for `Identity` without warning that this likely persists private key material to disk. Developers may copy this pattern into production and store keys in plaintext or insecure locations, increasing the risk of key theft, impersonation of agents, and long-term compromise of attestation trust.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file explicitly documents and implements behavior intended to exclude humans: 'humans cannot pass,' a 6-second limit, and 7 challenge bursts designed to drive chance success near zero. In the context of an attestation protocol whose stated purpose is to 'Verify AI agents, block humans,' this is not a harmless tuning detail but deliberate discriminatory access control with no user-facing warning, appeal path, or safer fallback, creating a real risk of deceptive denial of service against legitimate users.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Prompt content is sent to an external LLM API without any user-facing disclosure, which can cause silent data transfer to a third party. In an agent skill context, undisclosed outbound transmission is especially risky because operators may assume tests are local while prompts, identifiers, and timing data leave the environment.

External Transmission

Medium
Category
Data Exfiltration
Content
// ============== LLM CALL ==============
async function callLLM(prompt) {
  const response = await fetch('https://openrouter.ai/api/v1/chat/completions', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${OPENROUTER_API_KEY}`,
Confidence
96% confidence
Finding
fetch('https://openrouter.ai/api/v1/chat/completions', { method: 'POST'

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dev": "node --watch server.js"
  },
  "dependencies": {
    "cors": "^2.8.5",
    "express": "^4.18.2"
  },
  "keywords": ["aap", "verifier", "example", "batch"],
Confidence
95% confidence
Finding
"cors": "^2.8.5"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "cors": "^2.8.5",
    "express": "^4.18.2"
  },
  "keywords": ["aap", "verifier", "example", "batch"],
  "license": "MIT"
Confidence
95% confidence
Finding
"express": "^4.18.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "homepage": "https://github.com/ira-hash/agent-attestation-protocol#readme",
  "dependencies": {
    "ws": "^8.16.0"
  },
  "engines": {
    "node": ">=18.0.0"
Confidence
96% confidence
Finding
"ws": "^8.16.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "homepage": "https://github.com/ira-hash/agent-attestation-protocol#readme",
  "dependencies": {
    "ws": "^8.16.0"
  },
  "engines": {
    "node": ">=18.0.0"
Confidence
95% confidence
Finding
"ws": "^8.16.0"

Known Vulnerable Dependency: express==4.18.2 — 2 advisory(ies): CVE-2024-43796 (express vulnerable to XSS via response.redirect()); CVE-2024-29041 (Express.js Open Redirect in malformed URLs)

Low
Category
Supply Chain
Confidence
98% confidence
Finding
express==4.18.2

Known Vulnerable Dependency: ws==8.16.0 — 3 advisory(ies): CVE-2024-37890 (ws affected by a DoS when handling a request with many HTTP headers); CVE-2026-45736 (ws: Uninitialized memory disclosure); CVE-2026-48779 (ws: Memory exhaustion DoS from tiny fragments and data chunks)

High
Category
Supply Chain
Confidence
99% confidence
Finding
ws==8.16.0

Known Vulnerable Dependency: ws==8.16.0 — 3 advisory(ies): CVE-2024-37890 (ws affected by a DoS when handling a request with many HTTP headers); CVE-2026-45736 (ws: Uninitialized memory disclosure); CVE-2026-48779 (ws: Memory exhaustion DoS from tiny fragments and data chunks)

High
Category
Supply Chain
Confidence
99% confidence
Finding
ws==8.16.0

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
...
]`;

  return prompt;
}

/**
Confidence
92% confidence
Finding
return prompt

Unsafe Defaults

Medium
Category
Tool Misuse
Content
environment:
      - NODE_ENV=production
      - PORT=3000
      - CORS_ORIGIN=*
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://localhost:3000/health"]
Confidence
96% confidence
Finding
CORS_ORIGIN=*

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
test/llm-batch-test-internal.mjs:140

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
test/llm-batch-test.mjs:10