Back to skill

Security audit

Lieutenant - AI Agent Security

Security checks across malware telemetry and agentic risk

Overview

Lieutenant is a coherent security-scanning skill, with the main caution that optional API modes send scanned content to an external service.

Install only if you trust the Lieutenant/TrustAgents ecosystem. Use local mode for confidential prompts, secrets, internal agent cards, or regulated data; use --api only when sending that content to the configured remote service is acceptable, and keep TRUSTAGENTS_API_KEY and TRUSTAGENTS_API_URL under your control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tainted flow: 'api_url' from os.environ.get (line 35, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
if semantic:
        payload["semantic_analysis"] = "fast"
    
    response = requests.post(
        f"{api_url}/verify/text",
        json=payload,
        headers=headers,
Confidence
95% confidence
Finding
response = requests.post( f"{api_url}/verify/text", json=payload, headers=headers, timeout=30, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation demonstrates capabilities that access environment variables, local files, and remote URLs/APIs, but no explicit permission model is declared. In an agent ecosystem, this creates a trust gap: a consumer may invoke the skill without understanding it can read secrets from env, load local JSON files, or contact external services, increasing the chance of unintended data exposure or SSRF-style abuse through agent-card verification flows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When --api is used, the tool sends the full scanned text to a remote service, but the CLI provides no runtime disclosure, confirmation, or prominent warning that content leaves the local machine. Because this tool is meant to inspect potentially sensitive prompts, messages, and A2A traffic, silent remote transmission increases privacy and data handling risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When --api is used, the script sends the entire agent_card object to a remote service, but the CLI does not clearly warn users that potentially sensitive or proprietary card contents will leave the local environment. In a security-verification tool, this matters more because users may assume analysis is local unless data-sharing is made explicit.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:14