A2a E2ee Encryption

Security checks across malware telemetry and agentic risk

Overview

This is a local encryption utility with no hidden network, install, or persistence behavior, but its documentation has one misleading public-key diagram that should be fixed before production use.

Install only if you understand it is unaudited cryptography code. Do not paste production private keys into shared chats or logs, verify public-key fingerprints out of band, and fix or ignore the incorrect diagram before using the documentation as implementation guidance.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The architecture diagram states that Agent B decrypts with Agent A's public key, which is cryptographically incorrect for confidentiality and can mislead implementers into building an insecure protocol. In security-sensitive documentation, such errors can cause developers or agents to misuse keys, break confidentiality guarantees, or confuse encryption with signature verification.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal