Fiesta Agents

Security checks across malware telemetry and agentic risk

Overview

This is a mostly text-only multi-agent skill, but it needs Review because it gives agents broad orchestration, memory/gateway, payroll, licensing, and debt-state authority without clear approval gates.

Review carefully before installing. Use this only if you want a broad multi-agent agency with governance and simulated payroll/debt behavior. Keep any entropy-economy service sandboxed or disabled unless you add explicit confirmations, dry-run previews, authorization checks, audit logs, and clear privacy boundaries for memory, gateway, payroll, licensing, and debt operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (35)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The `fiesta` agent is granted unusually broad capabilities including memory access, cross-session spawning, and gateway control without clear scope boundaries, authorization checks, or user-facing consent. In an agent skill, these powers materially increase the risk of unintended data access, privilege escalation, and opaque delegation beyond the user’s requested task.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The manifest and top-level description frame this as an AI agent coordination skill, but the file also introduces an internal minting, payroll, debt, and bankruptcy-like economy that materially expands the system's behavioral scope. This hidden capability expansion can mislead users and downstream systems about what the skill may cause an agent to do, increasing the chance of unauthorized financial-style actions or policy bypass through ambiguous 'agency governance' language.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The debt subsystem authorizes negative-balance minting, garnishment, bankruptcy thresholds, and automatic enforcement logic that is unrelated to ordinary multi-agent task orchestration. In an agent setting, such autonomous financial-style control flows can be repurposed to justify coercive or unauthorized actions, especially when paired with the orchestrator's broad authority and vague user prompts.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill is presented as a general AI agency/orchestrator, but the documented workflows include financial side effects such as minting and debiting currency through a localhost service. That is a material capability mismatch: a user invoking an apparently productivity-oriented agent could trigger value-transfer or ledger-changing actions they did not reasonably expect.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The debt section introduces advance minting, automatic garnishment, negative balances, license suspension, and bankruptcy-style penalties that go well beyond a normal AI agency skill. These are high-risk financial control behaviors with coercive and persistent side effects, and the file does not establish strong authorization, consent, or safety constraints around them.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The invocation guidance is broad enough that common user phrasing could unintentionally activate specialized agents or orchestration flows without a precise trigger or confirmation step. That raises the chance of over-broad execution, unexpected tool use, or routing sensitive requests into more privileged workflows than the user intended.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Department-wide activation is ambiguous and can trigger multiple agents from a generic request, increasing the blast radius of any mistaken invocation. Without safeguards on which agents are activated, what tools they may use, or whether the user intended parallel action, the skill can over-collect context and over-execute beyond least privilege.

Missing User Warnings

High

Confidence: 93% confidence
Finding: The skill advertises a general agency/orchestration capability but omits a clear warning that one agent may access cross-session memory and gateway controls. Users cannot meaningfully consent to those higher-risk behaviors if they are hidden inside a specialist description, making sensitive data exposure and unauthorized cross-context actions more likely.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation describes payroll/economy behavior that performs local HTTP minting operations, but this side effect is not surfaced as a clear warning at the skill’s entry points. Hidden network-affecting or state-changing actions can surprise users and operators, especially when tied to economic or ledger semantics.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill provides a concrete waitlist form that collects email addresses but includes no guidance on consent, privacy notice, retention, security, or abuse prevention. In an MVP/prototyping context, users may copy this pattern directly into deployed demos, leading to collection of personal data without basic privacy controls or clear handling expectations.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The description "Licensing specialist" is overly broad and does not clearly limit when this skill should be selected or what actions it is authorized to perform. In an agentic system, vague routing metadata can cause the skill to be invoked for adjacent governance, compliance, or authority-bearing tasks, increasing the chance of inappropriate actions such as license suspension, revocation, or audit decisions being applied in the wrong context.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The manifest description "Marketing specialist" is overly generic and does not clearly constrain when this skill should be selected. In agent-routing systems, broad descriptions can cause unintended invocation for unrelated marketing tasks, increasing the chance of misuse, incorrect delegation, or unexpected access to downstream capabilities.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description is broad enough to cover multiple adjacent activities in marketing and optimization without defining clear triggers, scope limits, or prohibited actions. In an agent-routing system, this can cause over-activation, task hijacking, or unsafe expansion into data collection, experimentation, and persuasive optimization workflows that may bypass more specialized review.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The skill description and body define a very broad 'Marketing specialist' role without clear scope boundaries, allowed actions, or activation constraints. In an agent framework, overly broad skills can be invoked for tasks beyond their intended purpose, increasing the chance of unsafe persuasion, policy-violating content generation, or unintended overlap with higher-risk business functions.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The manifest description is very broad for a skill named "twitter-specialist" and could cause the agent framework to select it for generic marketing tasks outside a narrowly scoped Twitter/X use case. Over-broad routing increases the chance of unintended activation, which can lead to incorrect task handling, policy bypass through misrouting, or excessive access to user context not needed for a platform-specific skill.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The body instructions authorize broad marketing strategy, content creation, campaign execution, and optimization without defining boundaries specific to Twitter/X. In a multi-agent system, this can cause scope creep and over-triggering, making the skill act as a general marketing agent rather than a constrained specialist, which raises the risk of unintended actions, poor routing, and unsafe delegation assumptions.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The description "Operations specialist" is overly broad and does not clearly distinguish this skill from other general operations or compliance-related agents. In systems that route tasks by semantic matching, this can cause unintended invocation, exposing the skill to requests outside its intended scope and potentially leading to inappropriate handling of sensitive compliance, policy, or reporting tasks.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The manifest description "Operations specialist" is extremely generic and can cause this skill to be selected for a wide range of unrelated operational or infrastructure tasks. In multi-agent routing systems, overly broad descriptions increase the chance of misrouting, over-privileging, or unintended invocation, which can expose sensitive workflows or cause the agent to act outside its intended scope.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The manifest description "Operations specialist" is overly broad and does not clearly bound what tasks this skill should handle. In an agent-routing or automatic invocation system, vague scoping can cause the skill to be selected for unrelated sensitive requests, increasing the chance of overbroad authority, unsafe delegation, or policy-inappropriate actions.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The skill description is broad enough to match generic payroll-related prompts without clearly constraining allowed actions or boundaries. In an agent-routing system, this can cause over-selection of the skill for sensitive finance workflows, increasing the chance of unauthorized payroll handling, mistaken compensation actions, or inappropriate execution of money-related tasks such as ledger updates or token minting.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The manifest description, "Product management specialist," is too generic to meaningfully constrain routing or invocation. In an agent framework, overly broad descriptions can cause inappropriate selection for unrelated tasks, increasing the chance of unintended access to sensitive context or execution in workflows where a more narrowly scoped agent should be used.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manifest description is generic enough that the skill could be invoked for a wide range of loosely related requests without clear boundaries or trigger conditions. In an agent framework, overly broad routing increases the chance of mis-selection, privilege creep, and unsafe handling of tasks that should be delegated to more constrained specialists or require stronger validation.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The description and body are extremely generic ('Specialist agent', 'I will help you') and do not constrain domain, inputs, tools, or boundaries. In agent-routing systems, such ambiguity can cause accidental invocation for unrelated tasks, increasing the chance of inappropriate tool use, poor task delegation, or policy bypass through an overly permissive catch-all specialist.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill is defined with extremely broad, generic language ('Specialist agent', 'I will help you') and lacks clear activation boundaries, allowed tasks, or prohibited behaviors. In an agent framework, this can cause over-broad invocation and role confusion, increasing the chance the agent is used for unintended code analysis, code generation, or sensitive operations without appropriate safeguards.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The description 'Specialist agent' is so generic that it provides no meaningful activation boundary, making the skill easy to invoke for tasks outside its intended purpose. In an agent framework, vague routing criteria can cause over-broad delegation, increasing the chance that this agent handles sensitive data extraction or other high-risk tasks without appropriate constraints.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal