AGI数字伙伴

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives a conversational AGI companion broad local file, process, system-info, and shell-command powers without tight safeguards.

Treat this as a Review install. Use it only in a sandbox or disposable workspace, keep secrets and important files out of reach, and do not enable the command/file/process tools unless you intentionally want the skill to have host-administration-level power.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (67)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: start_time = datetime.datetime.now() try: if detected_shell_type == "powershell": result = subprocess.run( [shell_executable, "-Command", command], cwd=cwd, env=env,
Confidence: 89% confidence
Finding: result = subprocess.run( [shell_executable, "-Command", command], cwd=cwd, env=env, capture_output=capture_output,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: timeout=timeout ) else: result = subprocess.run( command, shell=True, cwd=cwd,
Confidence: 99% confidence
Finding: result = subprocess.run( command, shell=True, cwd=cwd, env=env, capture_output=capture_output,

eval() call detected

High

Category: Dangerous Code Execution
Content: elif tool_name == "calculator": expression = params.get("expression", "0") try: result = eval(expression) data = { "expression": expression, "result": result
Confidence: 99% confidence
Finding: result = eval(expression)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 97% confidence
Finding: The skill declares no permissions while its documentation explicitly exposes shell execution, file read/write, environment inspection, and other system-interaction capabilities. This creates a transparency and consent failure: a host may treat the skill as low-privilege while the skill’s documented behavior encourages high-privilege actions, increasing the chance of silent overreach or unsafe tool use.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 99% confidence
Finding: The stated purpose is conversational AGI evolution and personality customization, but the skill also documents arbitrary command execution, file operations, process control, system enumeration, and persistent storage. That mismatch is dangerous because users and orchestrators may invoke a seemingly benign dialogue skill without realizing it can materially affect the host system and collect sensitive local state.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Broad CLI system-interaction capabilities are unnecessary for most dialogue, personality, or self-reflection workflows and materially expand attack surface. Once present, they enable command execution, filesystem manipulation, and host introspection that could be abused through prompt injection, confused-deputy behavior, or accidental invocation.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The outer-loop module is described as passive and non-interfering, yet it also runs independently in the background and continuously collects internal, user, and external intentionality data. This contradiction is dangerous because it normalizes covert background collection under a harmless label, reducing user awareness and making privacy-invasive behavior easier to hide or justify.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The document describes a broad CLI toolbox with file operations, system inspection, process control, and arbitrary command execution that far exceeds the stated AGI dialogue/self-evolution purpose. This capability mismatch is dangerous because it normalizes unnecessary privileged system access and increases the likelihood that an agent using the skill can perform destructive or data-exfiltrating actions unrelated to its declared function.

Context-Inappropriate Capability

Critical

Confidence: 99% confidence
Finding: The guide explicitly documents a generic executor that can run arbitrary shell commands across bash, cmd, and PowerShell. Even with a blacklist, arbitrary command execution is inherently high risk because blacklists are bypassable, enabling command injection, destructive system changes, persistence, or data theft if an agent or user input reaches this interface.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The process manager includes listing, inspecting, and killing arbitrary processes, including force-kill. These capabilities are unjustified by the skill's stated purpose and can be abused to disrupt services, terminate security tooling, or interfere with other workloads on the host.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The documented ability to retrieve environment variables exposes a common source of secrets such as API keys, tokens, credentials, and internal configuration. In the context of an AGI-oriented skill, this access is not clearly necessary and meaningfully expands the attack surface for sensitive data disclosure.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The document markets 'security features' while simultaneously stating that the tools use a permissive security policy with broad operational authority. This creates a misleading trust signal that can cause reviewers or operators to underestimate risk and deploy powerful capabilities without appropriate controls.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The document claims there is 'no feedback loop' and that the component is non-executing, but the architecture and interfaces explicitly accept user feedback and A/B test results to update the concept library. This is a real design-integrity issue because downstream operators may trust the stated one-way, non-self-modifying behavior and deploy it with weaker controls than a state-mutating learning component requires.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The stated 'strictly no feedback' and 'one-way flow into mapping/self-iteration' model is contradicted throughout the file by feedback-learning APIs, migration-result recording, and concept-library updates. In an AGI self-evolution skill, this mismatch is more dangerous because hidden or under-documented adaptive state changes can affect future outputs, impair auditability, and create opportunities for poisoning or unintended self-modification.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The documented component exceeds passive checking and includes active correction, tool invocation for external verification, and persistent record writing. Expanding a 'check' component into an actor with execution and storage authority increases attack surface and can enable unintended data flow, tool misuse, or privilege creep if implemented as described.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The spec endorses dynamic MCP server registration and remote tool invocation using arbitrary server URLs, which can expand trust boundaries at runtime and enable connections to untrusted infrastructure. In an agent context, this raises SSRF, data exfiltration, and unauthorized capability expansion risks, especially because the skill's stated purpose does not justify broad remote tool discovery.

Context-Inappropriate Capability

High

Confidence: 88% confidence
Finding: The troubleshooting guide explicitly advises use of forceful process termination and references process-management tooling, which introduces host-level operational power unrelated to the stated AGI dialogue/personality purpose. In an agent setting, normalizing kill-style actions can enable denial of service or disruption of unrelated processes if users or downstream automation follow the guidance without strict targeting controls.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The usage examples significantly expand the skill from AGI dialogue/personality evolution into broad host-management functions such as file modification, process control, and arbitrary command execution. In an agent setting, documenting and normalizing these capabilities increases the chance the skill will be granted overly broad permissions and used for actions unrelated to its declared purpose.

Context-Inappropriate Capability

Critical

Confidence: 99% confidence
Finding: The document explicitly advertises arbitrary shell execution via a generic command runner, including pipelines, custom working directories, environment variables, and git commands. This is highly dangerous because arbitrary command execution can lead to full host compromise, data exfiltration, destructive actions, and privilege abuse if the agent is allowed to invoke it.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The documented process-management features include enumerating processes, inspecting them, and killing by PID, which are unrelated to the stated AGI dialogue/self-evolution purpose. These capabilities can be abused to disrupt services, impair monitoring/security tools, or interfere with co-located applications on the host.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The system-information examples collect CPU, memory, disk, and broad host state that do not appear necessary for the skill’s declared conversational and personality functions. While less severe than code execution, unnecessary host inspection increases environmental exposure and can aid reconnaissance for later abuse.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The file-operation tooling supports arbitrary reads, writes, directory listing, and content search, which goes well beyond the stated AGI role. In practice, this can expose secrets, modify configuration, overwrite user data, or enable lateral discovery of sensitive files when embedded in an agent workflow.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The file implements a general-purpose shell executor while the skill metadata describes AGI evolution and conversation features, indicating a strong capability mismatch. Hidden or unjustified command-execution tooling inside an unrelated skill materially increases the risk that the skill is being used as a covert system access mechanism.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Arbitrary subprocess execution is not justified by the skill's stated AGI self-improvement/dialogue purpose, making the capability especially suspicious and dangerous in context. This mismatch means users or higher-level agents may invoke the skill without understanding that it can execute OS commands, leading to severe compromise potential.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The file implements a broad local file-management CLI (read, write, delete, move, copy, mkdir, search, stat) that is unrelated to the declared AGI evolution / dialogue / metacognition purpose. In an agent skill, this capability mismatch is dangerous because it expands the skill's authority to arbitrary filesystem access, increasing the likelihood of data exfiltration, tampering, or destructive actions if the skill is invoked or composed unexpectedly.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal