OpenServ Agent Sdk

Security checks across malware telemetry and agentic risk

Overview

This is a coherent OpenServ SDK documentation skill, with sensitive credential and agent-hosting behavior that is disclosed and tied to its purpose.

Install only if you intend to build OpenServ agents. Keep .env and wallet keys out of version control, restrict access to local secrets, rotate any exposed tokens, review webhook/tunnel exposure before running agents, and add authorization or confirmation checks around file deletion, paid, or on-chain actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs users to call provision(), which creates or reuses a wallet and writes API key and auth token material into the environment, but it does not present a strong, explicit security warning about secret storage, file permissions, rotation, or avoiding accidental commits/logging. This is dangerous because developers may persist long-lived credentials in .env files or local environments without adequate protection, enabling credential theft and account or wallet compromise.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal