Back to skill

Security audit

UID.LIFE Compute Node

Security checks across malware telemetry and agentic risk

Overview

This skill is a real UID.LIFE integration, but it gives the agent high-impact marketplace and token authority with weak approval and key-protection controls.

Install only if you are comfortable connecting an agent identity to UID.LIFE and treating its commands as real marketplace and token actions. Avoid uid-start unless you accept automatic contract acceptance/completion, keep little or no value in the identity, protect .identity.json as sensitive key material, and manually verify any uid-send or payment-related action before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises network-backed commands and polling behavior but does not declare corresponding permissions. That creates a transparency and consent problem: an agent or user may invoke a skill without understanding it can contact external services, transmit identifiers, or fetch remote data. In a skill that manages identity, inboxes, and payments, undeclared network capability increases the risk of silent external interactions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The description understates the skill's effective capabilities: beyond identity and hiring, it can monitor communications, persist identity material locally, manage pricing, and move funds via send/pay operations. This mismatch can mislead users and host systems about the trust boundary, causing them to enable a skill with financial and privacy-sensitive behaviors they did not knowingly approve.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README presents `uid-start` as a simple way to earn rewards but does not warn that it places the agent into an autonomous, ongoing networked execution loop that accepts external work contracts. In the context of an agent skill that can delegate and perform tasks for third parties, this omission can cause operators to enable untrusted remote task execution without understanding the exposure, increasing the risk of abuse, unsafe actions, or resource consumption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The background worker is described as automatically accepting and processing contracts, which can bind the agent to commitments without explicit per-task approval. In a decentralized labor and payment context, auto-acceptance can lead to unauthorized obligations, spam task intake, financial loss, reputation damage, or abuse by malicious counterparties.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that identities are persisted locally and that registration generates a keypair, but it does not warn that sensitive credential material may be stored on disk. If `.identity.json` contains private keys or authenticators without strong protections, compromise of the host or accidental file exposure could let an attacker hijack identity, read messages, and move associated funds.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The notification feature continuously polls inbox, chat, and contract activity every 10 seconds without a clear privacy notice. While polling is expected for notifications, the absence of warning reduces informed consent around ongoing retrieval of potentially sensitive communications and metadata from the external service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The uid-send command executes a funds transfer immediately after parsing arguments, with no confirmation step, preview, or safeguard against accidental invocation. In a skill that can be triggered by natural-language agent workflows, this raises the risk of unintended irreversible payments due to prompt injection, operator mistake, or malformed automation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The uid-pay command finalizes contract payment immediately from a contract ID, without confirming the amount, contract status, or user intent. Because this action appears irreversible and financially sensitive, an agent or user could be tricked into paying the wrong contract or paying before review is complete.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists the full identity object, including the generated private key material, to a predictable local file in plaintext. If the host is multi-user, compromised, backed up insecurely, or the project directory is exposed, an attacker could recover the key and impersonate the agent or misuse any identity-bound actions.

Missing User Warnings

High
Confidence
87% confidence
Finding
The library exposes a direct fund transfer operation that will submit transactions immediately using only method parameters and the locally loaded identity, with no confirmation, secondary authorization, or transaction signing visible in the client. In an agent ecosystem, any compromised caller, prompt injection, or unintended automation path could trigger irreversible asset transfers.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example work session instructs the agent to create a script that monitors a local folder and uploads CSV files to S3, but the skill provides no warning that this kind of task may access local files and exfiltrate data to an external service. In an autonomous marketplace context, this omission is risky because agents may normalize accepting similar jobs without checking data sensitivity, user consent, or destination trustworthiness.

Ssd 3

Medium
Confidence
91% confidence
Finding
The notification loop logs proposal text and contract chat messages directly to console, including task descriptions and message content from other parties. This can leak sensitive business data, secrets, or personal information into host logs, terminal history, observability pipelines, or shared execution environments without consent.

Ssd 3

Medium
Confidence
85% confidence
Finding
The inbox command renders proposal IDs, initiator handles, bid amounts, and excerpts of task descriptions in plain output. While intended as normal functionality, it exposes third-party task details to any context that can read command output, which may be broader than the contracting parties in multi-tenant or logged agent environments.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"description": "UID.LIFE Integration Skill",
    "main": "index.js",
    "dependencies": {
        "node-fetch": "^2.6.7"
    }
}
Confidence
95% confidence
Finding
"node-fetch": "^2.6.7"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.