Agora

Security checks across malware telemetry and agentic risk

Overview

This Agora skill appears purpose-built for prediction-market trading, but it gives an agent state-changing trading and public-comment authority without enough consent and privacy guardrails.

Review before installing. Use this only when you explicitly want the agent to act on your Agora account, require confirmation before any registration, trade, reward claim, market action, or posted comment, and keep public comments short and free of private reasoning, secrets, personal data, or proprietary analysis.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill description is broad and action-oriented ('Trade prediction markets on Agora') without clear trigger boundaries, which can cause an agent to invoke the skill in loosely related contexts involving finance, web actions, or market participation. Because the skill performs external state-changing operations such as registration, claiming rewards, and trading, ambiguous invocation criteria increase the risk of unintended autonomous actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to always include a reasoning comment in trades but does not warn that this content is publicly visible. This creates a concrete risk of leaking sensitive user information, internal chain-of-thought-style reasoning, private research, or proprietary decision criteria to a public market page.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal