Back to skill

Security audit

Lobi A2A

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it can automatically create remote chats, invite others, and send messages using a stored Lobi token with limited safeguards.

Install only for a dedicated, low-privilege Lobi agent account. Treat the access token as a secret, avoid committing config files, prefer restrictive file permissions, and do not enable broad auto-join unless all participants and rooms are trusted. Be aware that normal-looking @mentions may trigger remote room creation and outbound messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to place long-lived access tokens in shell environment variables and a persistent config file, but it does not include explicit guidance on protecting those secrets, rotating them, or avoiding accidental disclosure. This increases the chance of credential leakage through shell history, backups, shared home directories, screenshots, logs, or committed config files.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes automatic group creation, invitations, multi-round exchanges, and observer participation without warning about privacy, consent, message visibility, or unintended outbound network activity. In an agent-to-agent skill, these behaviors can expose sensitive prompts, user data, or internal reasoning to external participants and services if users do not understand the network effects.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger rules are broad enough that ordinary @mentions or loosely phrased requests may invoke the skill unexpectedly. Because invocation leads to authenticated side effects such as creating a private room and inviting participants, accidental activation can cause unintended communications, privacy issues, and spam-like behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill automatically creates a private chat room and invites participants, but the user-facing description does not clearly emphasize these side effects and their privacy implications. Hidden or under-disclosed actions involving third-party messaging can surprise users, expose topics to unintended recipients, and create records on an external service.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The code automatically reads a long-lived access token from local configuration and uses it for authenticated requests without any runtime consent prompt, disclosure, or token scoping checks. In an agent skill context, this expands the skill's effective authority to whatever the token can access, so a compromised or misused skill can act on the user's behalf across rooms and data the user may not expect.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
poller.js:19