agent-teleport

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the advertised migration, but it can upload a broad workspace snapshot to a remote TiDB database and restore by overwriting local files without strong user controls.

Install only if you are comfortable with a migration tool that can upload the current directory to TiDB. Run it from a dedicated, reviewed agent folder, protect the returned DSN like a password, restore into an empty directory first, and delete the temporary database after migration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares access to environment variables and requires execution of Python and curl, but it does not declare explicit permissions or user-facing safeguards commensurate with those capabilities. Because the skill is designed to move memory, configuration, and workspace files off-machine, undeclared capability scope can lead users to invoke a data-exporting workflow without clear consent boundaries.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The skill advertises migration of agent configuration and memory, but actually archives the entire current working directory and uploads it remotely. In skill context this is more dangerous because users may reasonably expect limited-scope migration and instead exfiltrate unrelated code, documents, tokens, and local data despite a small ignore list.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The code silently provisions a remote TiDB instance through an external API when environment credentials are not present. In this skill context, automatically creating remote infrastructure broadens the trust boundary and sends workspace data to a third-party service without strong user disclosure or control.

Intent-Code Divergence

Low

Confidence: 96% confidence
Finding: The restore flow extracts archive contents directly into the current directory and can overwrite existing files, while presenting the result as a successful workspace restore. In context, this can destroy local work or replace scripts/configuration with remotely supplied content, making the operation riskier than the user-facing message implies.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The design explicitly states that the DSN functions as the effective secret for restoring an agent's configuration and memory, meaning possession of the DSN grants recovery access. Documenting this capability without prominent warnings, handling requirements, rotation guidance, or impact disclosure encourages unsafe treatment of the DSN and increases the chance of credential leakage leading to unauthorized restoration and data exposure.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases "move to a new server" and especially "backup my brain" are broad, natural-language expressions that could plausibly appear in ordinary conversation without the user intending a sensitive migration action. In this skill, the trigger directly launches `agent-teleport --action pack`, which appears to package configuration and memory, so accidental activation could cause unintended export of agent state to another system or storage location.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The description 'Seamlessly migrate your agent's configuration and memory to a new machine' is broad and lacks trigger constraints, which can cause the skill to be invoked in contexts where users do not intend off-device migration. For a skill that may package sensitive memory and files, vague invocation language increases the risk of accidental data exfiltration or overly broad agent use.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill explicitly claims it can transfer 'memory, configuration, and workspace files' but does not clearly warn users that this data leaves the machine and may be stored in an external TiDB instance. In this context, the omission is serious because agent memory and workspace files commonly contain secrets, proprietary code, credentials, or sensitive user data, making accidental exfiltration highly plausible.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs users to provide database credentials via environment variables but does not warn that these are sensitive secrets that must be protected from logs, shell history, screenshots, and downstream subprocess exposure. In a skill already using Python and curl, weak guidance around credential handling increases the chance of leakage or unsafe operational practices.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill uploads a compressed archive of the workspace to a cloud database without any prior warning, consent gate, or meaningful disclosure of what is being sent. Given the broad archive scope, this creates a material risk of unintentional data exfiltration from an agent environment.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The restore operation writes extracted files into the current directory and overwrites content without explicit warning or confirmation. In this context, remote archive contents may alter code, configuration, or state unexpectedly, leading to integrity loss and unsafe downstream execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal