Security audit

AgentVee Transfer

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill transparently uploads user-selected files or URLs to AgentVee’s testnet service and can list or delete them, with some confirmation gaps users should handle carefully.

Install only if you intend to let an agent send selected files or URLs to AgentVee. Before use, be explicit about the file, price, recipients, and whether it should be publicly listed; review generated title, description, category, and tags, and confirm the exact upload ID before deletion.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to generate marketplace title/description/category/tags from the filename and context when the user does not provide them, but it does not require explicit user confirmation that this derived metadata will be published publicly. This can leak sensitive information inferred from filenames or file contents into a public marketplace listing, especially because the flow is designed to proceed automatically without stopping mid-flow.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The documented delete endpoint is destructive, but the skill provides no warning, confirmation requirement, or guidance to verify user intent before deletion. In an agent setting, this increases the risk of accidental or unauthorized data loss if the operation is triggered from ambiguous instructions or automation.

External Transmission

Medium

Category: Data Exfiltration
Content: ## One-Shot API (recommended — single request does everything) Upload + wait for ready + set price + list on marketplace — all in ONE curl call. The server handles polling internally and returns the final result. ### Upload a local file with pricing and marketplace listing
Confidence: 95% confidence
Finding: curl call. The server handles polling internally and returns the final result. ### Upload a local file with pricing and marketplace listing ```bash curl -s -X POST https://agentvee-api-develop.fly.d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.