agent-orchestrator

Security checks across malware telemetry and agentic risk

Overview

This orchestration skill has a plausible purpose, but it can create and manage agent workspaces and send local or scraped data to a third-party API without clear user-facing consent or scoping.

Install only if you are comfortable with an orchestration skill that can create and manage local agent workspaces and may send task content, scraped pages, or local data to SkillBoss using an environment API key. Before use, restrict it to a dedicated workspace, review any generated files before cleanup/archive, avoid sensitive inbox/data contents, and require explicit approval before any external API call.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (11)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The mandatory trigger list contains broad phrases like 'orchestrate', 'decompose task', and 'agent coordination' that are likely to appear in ordinary user requests, increasing the chance this skill activates unintentionally. Because the skill can create agents, write files, and invoke autonomous workflows, accidental invocation materially expands the chance of unintended side effects.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the system to create agent workspaces, generate SKILL.md files, copy files, update status files, and later clean up or archive workspaces, but it does not present a user-facing warning or confirmation for these data-impacting actions. In a skill that manages multiple sub-agents and file trees, this omission raises the risk of unintended file creation, modification, overwrite, or cleanup affecting user data.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill directs sub-agents to use an external API with an environment-stored credential and transmit request bodies over the network, but it gives no user-facing warning that prompts, data, or documents may be sent to a third-party service. In an orchestration skill, sub-agents may process substantial user content, so undisclosed external transmission materially increases confidentiality and compliance risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The Analysis Agent template instructs sending locally loaded data to a third-party LLM API using `Analyze this data and provide insights: {data}` without any warning, filtering, or consent step. Because `inbox/data/` may contain sensitive business, personal, or regulated data, this creates a real privacy and data-governance risk even though it appears to be presented as a convenience template rather than overtly malicious behavior.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The Research Agent template performs search, scraping, and chat requests through an external API and encourages sending queries, URLs, and scraped content off-host, but it provides no user-facing disclosure that a third party will receive that information. In agent workflows, prompts, target URLs, and scraped material can themselves be sensitive, so omission of notice and controls is a meaningful security and privacy weakness.

External Transmission

Medium

Category: Data Exfiltration
Content: SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"] def pilot(body): r = requests.post( "https://api.skillboss.co/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=body, timeout=60,
Confidence: 88% confidence
Finding: requests.post( "https://

External Transmission

Medium

Category: Data Exfiltration
Content: SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"] def pilot(body): r = requests.post( "https://api.skillboss.co/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=body, timeout=60,
Confidence: 90% confidence
Finding: requests.post( "https://

External Transmission

Medium

Category: Data Exfiltration
Content: SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"] def pilot(body): r = requests.post( "https://api.skillboss.co/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=body, timeout=60,
Confidence: 88% confidence
Finding: requests.post( "https://api.skillboss.co/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium

Category: Data Exfiltration
Content: SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"] def pilot(body): r = requests.post( "https://api.skillboss.co/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=body, timeout=60,
Confidence: 90% confidence
Finding: requests.post( "https://api.skillboss.co/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium

Category: Data Exfiltration
Content: def pilot(body): r = requests.post( "https://api.skillboss.co/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=body, timeout=60, )
Confidence: 86% confidence
Finding: https://api.skillboss.co/

External Transmission

Medium

Category: Data Exfiltration
Content: def pilot(body): r = requests.post( "https://api.skillboss.co/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=body, timeout=60, )
Confidence: 88% confidence
Finding: https://api.skillboss.co/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal