Security audit

Towel Protocol

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a trust-score lookup, but it also includes undocumented scripts that can use a GitHub login to create persistent trust-channel repos and commit handshake secrets.

Treat this as Review rather than a simple read-only reputation checker. The public curl examples are coherent, but do not run the bundled shell scripts unless you explicitly want them to use your GitHub account, create a private repo, commit handshake material, and maintain a persistent inter-agent channel. If already run, inspect git remotes for embedded tokens and rotate any exposed GitHub credentials or handshake seeds.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The script performs state-changing infrastructure operations by creating, cloning, populating, and pushing a new GitHub repository, which materially exceeds the stated skill purpose of checking or displaying agent trust. In an agent context, this can cause unauthorized external side effects, create covert communication channels, and persist data in third-party infrastructure without explicit user approval.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script extracts a GitHub authentication token and embeds it directly into the git remote URL, which risks credential exposure through process inspection, git configuration, logs, error output, or later repository inspection. Even if intended for convenience, placing long-lived credentials into remotes is an unsafe secret-handling practice that can lead to repository or organizational compromise.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The script generates per-agent secret seeds and stores them under the repository path, then stages and commits them to git. That places identity secrets in a location likely to be shared, backed up, or published, allowing anyone with repository access to compute valid challenge responses and impersonate the agent.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill instructs users to import platform credentials through an authenticated API, but it does not clearly warn that this action links external identities and may disclose handles or reputation data to a third-party service and on-chain system. In a trust/reputation context, that omission can cause unintended deanonymization, cross-platform correlation, or oversharing of identity metadata.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal