Back to skill

Security audit

中文 集体聊天系统

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed private multi-agent chat skill, but it gives agents broad authority to change shared state, write to other agents’ journals, and trigger recovery/escalation actions without clear safeguards.

Install only if you intentionally operate the exact Merlin/Axioma shared local environment and trust the participating agents with those shared folders. Before using it, add explicit approval and authorization rules for auto-heal, wake attempts, human notification, backup recovery, lock deletion, and any write to another agent’s journal.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The auto-heal section expands the skill beyond chat coordination into agent health checks, wake-up attempts, and escalation to a human. That broadening increases authority and creates opportunities for unauthorized monitoring, intervention, and side effects outside the stated scope of a messaging skill.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The architecture includes writes to per-agent personal journals even though the skill is presented as a collective chat mechanism. Mixing shared chat functions with access to private per-agent records increases the chance of unintended data access and cross-boundary writes.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The top-level description says the skill should be used for broad categories like agent communication and reading or writing chat records, but it does not define firm activation boundaries. Ambiguous triggers can cause the agent to invoke the skill too often and perform shared-state operations in situations where normal conversation or safer tooling would suffice.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The '使用时机' table is operationally vague and does not distinguish mandatory use from optional use. In a skill that writes shared files and rotates queue state, unclear activation rules increase the risk of accidental writes, race conditions, or inappropriate use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs creation of lock files, modification of a shared markdown log, queue updates, and deletion of the lock without warning about concurrency, data integrity, or impact on other agents. These are state-changing operations on shared resources and can cause corruption or denial of service if performed incorrectly or out of turn.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The auto-heal flow authorizes writing into another agent's journal and notifying a human operator without discussing authorization, privacy, or consent. This can expose internal state, create false incident reports, and normalize cross-agent access that exceeds the skill's chat purpose.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.