Agent Mandate Protocol

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed guide for signing, verifying, and delegating agent permissions, with sensitive key use that fits its purpose.

Before installing, verify the npm package source and pin a known-good version. Use a dedicated, least-privilege AMAP_PRIVATE_KEY, keep mandates short-lived and narrowly scoped, send A-MAP headers only to trusted services, and avoid logging private keys or full mandate chains unless required for operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

External Transmission

Medium

Category: Data Exfiltration
Content: privateKey: process.env.AMAP_PRIVATE_KEY, }) await fetch('https://api.example.com/book-flight', { method: 'POST', headers: { 'Content-Type': 'application/json', ...headers }, body: JSON.stringify(requestBody),
Confidence: 60% confidence
Finding: fetch('https://api.example.com/book-flight', { method: 'POST'

External Transmission

Medium

Category: Data Exfiltration
Content: privateKey: process.env.AMAP_PRIVATE_KEY, }) await fetch('https://api.example.com/book-flight', { method: 'POST', headers: { 'Content-Type': 'application/json', ...headers }, body: JSON.stringify(requestBody),
Confidence: 50% confidence
Finding: https://api.example.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal