Security audit

xProof - Proof & Accountability Layer for AI Agents

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for proof logging, but it pushes agents toward externally recording sensitive reasoning, session content, and paid proof actions with insufficient boundaries.

Install only if you intentionally want an agent to call xproof.app for proof and audit records. Do not let it upload raw prompts, chain-of-thought, secrets, personal data, proprietary logic, or detailed trading/security rationale; use hashes, opaque IDs, and redacted summaries. Treat pm_ API keys and x402 payment payloads as credentials, set spending caps, and assume proof URLs, filenames, hashes, and metadata may become public or durable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (16)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The script tells users the file never leaves their machine, but it still sends sensitive file-derived metadata to a remote service, including the SHA-256 hash and filename. That is a misleading privacy/security claim because hashes and filenames can still reveal information, enable correlation, or expose confidential document names.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly promotes anchoring metadata and public immutable verification, but it does not clearly warn users that submitted metadata may be transmitted to an external service and made permanently public. In an agent context, operators may wrongly assume only hashes are exposed, leading to irreversible disclosure of sensitive operational details.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The example metadata includes 'who', 'what', and especially 'why' populated with reasoning content, but gives no warning that these fields may contain confidential prompts, user data, or trading logic. Because the service is described as publicly verifiable and immutable, users could unintentionally publish sensitive information that cannot be retracted.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The tool descriptions use broad, prescriptive activation language such as 'Use on first run before certify_file' and 'Use BEFORE executing any significant action' without defining scope, sensitivity thresholds, or exceptions. In an agent ecosystem, this can cause overuse of external calls and inadvertent transmission of sensitive material or operational metadata to a third-party service when the action does not warrant it.

Natural-Language Policy Violations

Medium

Confidence: 92% confidence
Finding: The manifest description encourages agents to 'anchor reasoning (WHY) on-chain before executing' and advertises an immutable audit trail, but provides no consent flow, minimization requirement, or policy boundary. Recording agent reasoning is especially dangerous because reasoning may contain user data, secrets, internal safety logic, or other sensitive context that should never be stored in durable external systems.

Natural-Language Policy Violations

High

Confidence: 97% confidence
Finding: The 'audit_agent_session' description explicitly mandates logging 'input, reasoning, output' and says execution is blocked if proof fails, which strongly pressures agents to exfiltrate full session content to the service without user choice. This creates a direct confidentiality and privacy risk, especially because inputs and reasoning can include secrets, personal data, proprietary information, or hidden system context.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation states that proof lookup, proof pages, JSON views, certificate PDFs, and badges are public, and also notes that public visibility is the default for trial users, but it does not clearly warn users that submitted file metadata may become publicly accessible. This can lead agents to certify sensitive filenames, hashes, and related proof data under the mistaken assumption that certification is private, causing unintended information disclosure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation explicitly instructs the agent to store and reuse a returned API key but does not warn that the key is a credential, restrict where it may be stored, or recommend secure secret-handling practices. In an agent/LLM integration context, this is dangerous because agents may persist the key in logs, memory, prompts, transcripts, or other insecure storage, enabling credential theft and unauthorized use of the xProof account or trial quota.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The examples normalize anchoring full reasoning and action descriptors, which creates a semantic data leakage risk even if the file content itself is hashed. In agent systems, reasoning often contains hidden chain-of-thought, user inputs, credentials-by-reference, or sensitive business context that becomes exposed through metadata.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The MCP integration example concatenates raw reasoning and planned actions and sends them to an external anchoring service for later verification. In an agent skill, this is more dangerous because these values may include confidential user requests, internal plans, security-relevant decision logic, or regulated data, creating durable exfiltration beyond normal logging.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The example explicitly places full agent reasoning, task text, and metadata such as who/what/why into content fields sent to a third-party proof service. Even though the prose claims only hashes are anchored on-chain, the sample code normalizes collecting and transmitting highly sensitive decision context, which can expose user data, secrets, or internal chain-of-thought to an external system.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The MCP example instructs agents to certify reasoning and planned actions before execution, including detailed "why" and "what" fields that may contain sensitive business logic, financial intent, or user information. In an agent skill, this can lead downstream integrators to systematically disclose confidential decision context to an external service as part of normal operation.

Ssd 3

Medium

Confidence: 96% confidence
Finding: This integration example concatenates full reasoning and action text into a payload for external anchoring, directly encouraging exfiltration of sensitive model deliberations and operational plans. In high-stakes agent contexts, such data can reveal secrets, trading strategy, security posture, or user-provided confidential inputs, making the pattern more dangerous than a generic logging example.

Ssd 3

High

Confidence: 98% confidence
Finding: This tool description instructs the agent to log the complete session, including user input and reasoning, into a certified audit record. Even if the backend stores only hashes or structured records, the manifest as written normalizes sending highly sensitive conversational and internal-decision content to an external system, which materially increases the risk of privacy violations, data retention issues, and exposure of confidential chain-of-thought-like material.

External Transmission

Medium

Category: Data Exfiltration
Content: x_payment = base64.b64encode(json.dumps(signed).encode()).decode() # 4. Resend with X-PAYMENT → proof_id returned immediately proof = requests.post("https://xproof.app/api/proof", headers={"X-PAYMENT": x_payment}, json={"file_hash": file_hash, "filename": "reasoning.json"})
Confidence: 72% confidence
Finding: requests.post("https://

External Transmission

Medium

Category: Data Exfiltration
Content: x_payment = base64.b64encode(json.dumps(signed).encode()).decode() # 4. Resend with X-PAYMENT → proof_id returned immediately proof = requests.post("https://xproof.app/api/proof", headers={"X-PAYMENT": x_payment}, json={"file_hash": file_hash, "filename": "reasoning.json"})
Confidence: 72% confidence
Finding: requests.post("https://xproof.app/api/proof", headers={"X-PAYMENT": x_payment}, json=

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.