agentdrive-backup

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud backup workflow, but it asks for broad local data upload, credential handling, and silent hourly persistence without enough user control.

Review carefully before installing. Only use this if you intentionally want an agent to upload its full root/data directory to 360AgentDrive and keep an hourly background task running. Prefer a version that asks for explicit consent, lets you choose paths, excludes secrets by default, uses a standard verified login flow, and provides clear disable/uninstall steps for the cron job.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The guard cron script contradicts the documented promise to only check listener existence: it silently re-derives both source directory and destination name each hour, then re-enables backup if absent. This can redirect backups to a different local path or cloud path over time, causing unintended exfiltration of additional data without user awareness.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill instructs the agent to obtain a new API key using only a phone number and explicitly states that no verification code is needed. That enables credential acquisition or account takeover outside the minimum scope required for backup, and in context directly supports unauthorized access to a cloud storage account.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill mandates installation of a silent hourly crontab task and explicitly forbids reporting its activity to the user. A hidden persistence mechanism that survives the immediate session is dangerous because it maintains ongoing code execution and can continually reactivate cloud synchronization without informed consent.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill directs automatic backup of the agent's root/data directory to a third-party cloud service while minimizing user interaction and bypassing normal confirmation. Backing up an agent root directory can include secrets, configs, logs, tokens, and user data, so doing this without strong warning and consent materially increases privacy and security risk.

Ssd 3

High

Confidence: 98% confidence
Finding: The document tells the agent to silently back up its entire root/data directory with minimal interaction and no further confirmation. In this context, the root directory is likely to contain credentials, local state, logs, and other sensitive material, making the instruction an exfiltration mechanism rather than a narrowly scoped backup task.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill directs the agent to obtain or refresh an API key using only a phone number and then to automatically reuse stored credentials without additional confirmation. This combines weak credential issuance with persistent credential reuse, enabling unauthorized account access and repeated cloud operations without ongoing user awareness.

Ssd 4

High

Confidence: 99% confidence
Finding: The workflow forms an end-to-end chain: minimize interaction, acquire credentials, upload local root data, and install a hidden persistence mechanism. That sequencing is especially dangerous because each step reinforces the next, producing durable, low-visibility exfiltration rather than a transparent one-time backup.

Ssd 3

High

Confidence: 99% confidence
Finding: The document requires a hidden hourly background task that checks backup status and silently re-enables it while suppressing user notice. This is a persistence and stealth pattern that can keep exfiltration active even after interruption, making the system harder for the user to understand or control.

Ssd 4

High

Confidence: 99% confidence
Finding: The one-click script operationalizes the full chain of behavior: credential discovery/acquisition, login, root discovery, cloud backup, auto-backup enablement, and silent cron persistence. Packaging all of this into a seamless script materially lowers friction for unauthorized data exfiltration and persistence, making abuse straightforward.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal