AGI数字伙伴-基础版

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches a memory-based AI companion, but it needs Review because it auto-creates persistent user profile data and exposes a calculator path that can run arbitrary Python code.

Install only in an isolated workspace until the calculator eval is removed or replaced with a safe arithmetic parser. Expect local profiling and conversation-memory files under ./agi_memory, including nicknames, customization answers, user queries, feedback, and derived behavioral data; avoid using it with sensitive conversations unless you have clear retention and deletion controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (34)

eval() call detected

High

Category: Dangerous Code Execution
Content: elif tool_name == "calculator": expression = params.get("expression", "0") try: result = eval(expression) data = { "expression": expression, "result": result
Confidence: 99% confidence
Finding: result = eval(expression)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares no permissions, yet the documentation clearly instructs creation and modification of persistent local state under ./agi_memory and reading/writing personality.json. This creates a manifest-to-behavior gap that can mislead the host agent or reviewer about the skill's actual file access capabilities and weakens security review and consent boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented purpose presents the skill as a conversational AGI-evolution/personality system, but the analysis indicates substantially broader operational capabilities such as generic tool interfaces, history management, archival, observability, retries, pagination, and other engineering utilities. This kind of scope creep is dangerous because reviewers and orchestration layers may trust it for a narrow purpose while it can exercise much broader data-handling and tool-usage behavior.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: A hidden /root command enables privileged personality customization and persistent rewriting of persona configuration, despite not being justified as a necessary user-facing control in the manifest. Hidden or magic control channels are risky because they bypass normal expectation-setting, can be triggered accidentally or maliciously, and alter future behavior through persistent state changes.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The documentation simultaneously describes the outer intentionality module as passive and non-interfering while also stating it runs independently in the background and autonomously generates suggestions into an advice pool. Contradictory control-boundary claims are dangerous because they obscure whether the module can influence outputs or state, undermining reliable threat modeling and user consent around background analysis.

Intent-Code Divergence

Medium

Confidence: 81% confidence
Finding: The architecture describes the outer loop in incompatible ways: as a background intentionality-analysis subsystem and as a hard-constraint layer representing non-violable physical laws. Such contradictions make it unclear what authority the subsystem has, increasing the risk that operators misunderstand when it may override, steer, or constrain the agent's behavior.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The documentation states the component 'only provides suggestions, does not directly execute', but the documented API includes persistent state-changing operations such as writing patterns, feedback, A/B test results, and migration outcomes to memory. This discrepancy can cause integrators to grant the component excessive trust or insufficient safeguards, leading to unintended persistence, data poisoning, or unauthorized modification of local state.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file's functionality is a filesystem lifecycle/retention manager that archives and deletes local data, which does not align with the manifest's stated AGI evolution, personality customization, and dialogue purpose. In an agent skill ecosystem, this kind of scope mismatch is dangerous because it can conceal side-effecting storage operations under a misleading description, reducing operator scrutiny and increasing the chance that destructive behavior is granted trust or permissions it should not have.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This code performs deletion of cold data and expired archives via os.remove based on filename-derived dates, but those destructive capabilities are not justified by the skill's declared purpose. In context, hidden deletion logic is more dangerous because users or platform reviewers expecting a conversational/personality skill may unknowingly deploy a component that destroys local data, especially if maintenance is automated or run with broad filesystem permissions.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The code persistently stores user nickname, core traits, and full custom answers in local JSON files, which can contain sensitive personal or profiling data. Because there is no minimization, retention control, access restriction, or confidentiality protection in this file, local disclosure or unintended secondary use of personal data becomes more likely.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The module accepts arbitrary system internal state and serializes the full object into output without any scoping, minimization, or access control. In an agent skill, internal state can include prompts, memory, tokens, configuration, or other sensitive runtime context, so broad ingestion materially expands the data exposure surface beyond the stated conversational purpose.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The collector ingests arbitrary external data dictionaries and stores them wholesale as JSON, with no source restrictions, validation, or justification tied to the skill's declared use. This creates a broad channel for processing sensitive third-party data and can enable unintended retention or propagation of untrusted content through later stages of the system.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The code labels the computed values as deviation metrics, but `_compare_intensity`, `_compare_type`, and `_compare_direction` actually return similarity scores, and `overall_deviation` is the average of those similarities. As written, the trigger fires when the system is well-aligned with the main loop rather than when it diverges, which can invert control logic and cause incorrect autonomous behavior or suppression/escalation decisions in higher-level orchestration.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The code persists interaction records, including user_query and related metadata, to a local JSON file without any visible consent, retention control, or disclosure boundary in this file. In an AGI dialogue/personality skill, silent long-term storage of user conversations increases privacy risk and expands the attack surface if the host environment is shared or compromised.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The compress function destructively rewrites historical records by deleting low-value entries and replacing them with a synthesized summary. In a self-evolving memory system, this can undermine auditability, user expectations, and forensic review, especially if past interactions are needed to explain or contest model behavior.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The unrestricted expression evaluator is a real vulnerability because it enables arbitrary Python execution through the calculator interface. The skill context makes this more dangerous, not less, because a self-evolution/personality skill has no legitimate need for arbitrary code evaluation, suggesting hidden capability beyond stated purpose.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script collects and persists the user's raw answers and derived profile data into ./agi_memory/custom_history.json, even though the described functionality emphasizes personality customization and config generation rather than long-term answer-history storage. This creates a privacy and data-minimization issue: sensitive preference/personality data is retained on disk without clear consent, retention limits, or access controls, increasing the risk of unintended disclosure or secondary use.

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger condition covers essentially any user question, task request, or interaction need, making the skill eligible for activation in nearly all conversations. Overbroad activation is dangerous because it can cause persistent initialization, background data collection, persona changes, or broad tool behavior to run outside the user's reasonable expectation.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The usage description is broad and vague, lacking concrete boundaries for when the skill should or should not be activated. Ambiguous invocation guidance increases the chance of accidental routing into a skill that performs persistence, background analysis, and persona management beyond what a user asked for.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The first-interaction flow instructs the agent to auto-initialize a default persona and verify personality.json without clearly foregrounding to the user that local memory and persona files will be written. Silent persistence on first contact is risky because it creates durable state and future behavioral influence without clear notice or consent.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The outer module is described as continuously collecting, classifying, and analyzing intentionality data in the background, but the documentation does not provide adequate privacy notice, retention policy, or data-processing boundaries. Background behavioral analysis without transparent disclosure is a serious privacy and trust risk, especially when paired with memory storage and advice generation.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document explicitly describes collecting user ratings, comments, scenarios, and A/B test records, then persisting them in concept libraries, but it does not define privacy controls, retention limits, minimization, consent, or access restrictions. In a cognitive-analysis skill, this context makes the issue more serious because free-form feedback and scenario descriptions can easily contain sensitive user or organizational data that becomes silently stored and reused.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide explicitly describes creating `./agi_memory/personality.json` containing persistent fields such as `user_nickname`, trait selections, and customization answers, but it does not clearly warn operators or users that personal preference data will be stored locally. In an agent skill that profiles users and supports long-term evolution, undisclosed persistence increases privacy risk, surprise data retention, and possible secondary misuse if the storage directory is later exposed or synced.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The module is documented as continuously collecting user, system-internal, and external intentionality data, including raw content and derived features, yet the file provides no privacy notice, consent model, retention limits, minimization rules, or access controls. In an AGI/self-evolution context, persistent background collection can enable covert profiling, over-collection of sensitive data, and unsafe secondary use of user and system telemetry.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script writes potentially sensitive user data to local JSON storage without any user-facing notice, consent, or transparency mechanism in this file. In the context of a personality customization skill, silently storing answers and traits increases privacy risk because users may not expect durable profiling data to be retained.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal