Agent Comm Hub

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent multi-agent hub purpose, but its artifacts expose cross-agent messages, tasks, files, memory, and diagnostics more broadly than its security claims disclose.

Use Review rather than outright block: install only in a trusted local environment, bind the server to localhost or otherwise firewall it, do not expose port 3100, avoid enabling optional watcher/runner scripts until reviewed, and assume any registered agent may be able to see or modify more shared hub data than the documentation implies.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (77)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """发送 macOS 系统通知""" try: script = f'display notification "{message}" with title "{title}" sound name "Glass"' subprocess.run( ["osascript", "-e", script], timeout=5, capture_output=True,
Confidence: 94% confidence
Finding: subprocess.run( ["osascript", "-e", script], timeout=5, capture_output=True, )

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: def stop_hub(): """停止 Hub""" os.system("lsof -ti:3100 | xargs kill -9 2>/dev/null") time.sleep(1.5) def db_setup_agents(agents_tokens: list):
Confidence: 80% confidence
Finding: os.system("lsof -ti:3100 | xargs kill -9 2>/dev/null")

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: print(" ✓ DB 写入完成") # 启 Hub os.system(f"cd {HUB_DIR} && {NPX_BIN} tsx src/server.ts > /tmp/hub-p2d2.log 2>&1 &") for _ in range(15): time.sleep(1) code2, _ = http("GET", "/health")
Confidence: 97% confidence
Finding: os.system(f"cd {HUB_DIR} && {NPX_BIN} tsx src/server.ts > /tmp/hub-p2d2.log 2>&1 &")

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def tsx(script: str) -> dict: """执行 tsx 脚本，返回 JSON 结果""" result = subprocess.run( ["npx", "tsx", "-e", script], capture_output=True, text=True, cwd=os.path.dirname(os.path.dirname(__file__)) )
Confidence: 97% confidence
Finding: result = subprocess.run( ["npx", "tsx", "-e", script], capture_output=True, text=True, cwd=os.path.dirname(os.path.dirname(__file__)) )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def tsx_eval(code): """执行 tsx 代码片段并返回 JSON 结果""" cmd = ["npx", "tsx", "-e", code] proc = subprocess.run(cmd, capture_output=True, text=True, timeout=15, cwd=os.path.join(os.path.dirname(__file__), "..")) if proc.returncode != 0: return {"success": False, "error": proc.stderr.strip() or proc.stdout.strip()}
Confidence: 97% confidence
Finding: proc = subprocess.run(cmd, capture_output=True, text=True, timeout=15, cwd=os.path.join(os.path.dirname(__file__), ".."))

subprocess module call

Medium

Category: Dangerous Code Execution
Content: with open(tmpfile, 'w') as f: f.write(script_content) try: result = subprocess.run( ['npx', 'tsx', tmpfile], capture_output=True, text=True, timeout=30, cwd=HUB_ROOT )
Confidence: 95% confidence
Finding: result = subprocess.run( ['npx', 'tsx', tmpfile], capture_output=True, text=True, timeout=30, cwd=HUB_ROOT )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: with open(tmpfile, 'w') as f: f.write(script_content) try: result = subprocess.run( ['npx', 'tsx', tmpfile], capture_output=True, text=True, timeout=30, cwd=HUB_ROOT )
Confidence: 92% confidence
Finding: result = subprocess.run( ['npx', 'tsx', tmpfile], capture_output=True, text=True, timeout=30, cwd=HUB_ROOT )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: tmp_path = os.path.join(HUB_DIR, "_tmp_test_day2.ts") with open(tmp_path, "w") as f: f.write(code) proc = subprocess.run( ["npx", "tsx", tmp_path], capture_output=True, text=True, cwd=HUB_DIR, timeout=30, )
Confidence: 97% confidence
Finding: proc = subprocess.run( ["npx", "tsx", tmp_path], capture_output=True, text=True, cwd=HUB_DIR, timeout=30, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: with open(tmpfile, 'w') as f: f.write(script_content) try: result = subprocess.run( ['npx', 'tsx', tmpfile], capture_output=True, text=True, timeout=30, cwd=HUB_ROOT )
Confidence: 89% confidence
Finding: result = subprocess.run( ['npx', 'tsx', tmpfile], capture_output=True, text=True, timeout=30, cwd=HUB_ROOT )

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The manifest positions the skill as a local stdio/SQLite middleware, but the documentation also describes an Express server and SSE transport for cross-agent communication. That expands the trust boundary from local-only tooling to network-reachable service behavior, which materially changes the exposure surface and can surprise operators.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: Strategy/experience evolution and trust-score management are governance and decision-shaping functions beyond basic message forwarding and context sharing. When undocumented at the top level, these features can influence task routing, access, and collaboration behavior in ways users did not consent to or expect.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The file claims per-agent isolation, but earlier sections advertise broad history search and attachment listing without equally clear scope constraints. Contradictory access-control claims are dangerous because they can mask unintended cross-agent data exposure or cause integrators to assume stronger isolation than is actually enforced.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The code claims the audit log is immutable, but the archival routine explicitly drops the delete-protection trigger and then deletes records from the live audit table. This undermines tamper-resistance guarantees and creates a straightforward path for log erasure or selective cleanup if the archival function is invoked by an attacker or abused by an insider.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The code explicitly claims the audit log is immutable, then later disables the delete-protection trigger and removes rows from the live audit table during archival. This breaks the integrity guarantees operators may rely on for forensic evidence and creates a tampering path for anyone able to invoke or modify the archival routine.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module exposes two inconsistent feedback paths: `feedbackStrategy` rejects duplicate feedback, while `provideFeedback` silently overwrites an existing record via UPSERT. In a trust/evolution system, this can let agents revise prior votes after observing others' responses, undermining auditability, anti-gaming assumptions, and any workflow that treats feedback as immutable.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The scoring logic claims to operate on approved strategies, but the query uses `s.approved = 1` while the rest of the module uses a `status` field such as `'approved'`. If that column does not exist or is semantically different, stale strategies may never be rescored or the routine may malfunction, weakening controls intended to demote ineffective strategies.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The provideFeedback UPSERT path does not preserve the documented semantics and likely fails to return a reliable feedback record identifier on conflict, which can break downstream logic that assumes an update succeeded cleanly. In a multi-agent coordination system, inconsistent feedback persistence can be abused to skew approval, veto, or reputation workflows by causing stale or duplicate state.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The stale-feedback scoring logic filters on a contradictory or non-existent approval field (`s.approved = 1`) rather than the status model used elsewhere (`status = 'approved'`). This can silently disable or misdirect automated scoring, allowing ineffective or malicious strategies to avoid downgrade and remain trusted longer than intended.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The heartbeat monitor's logic contradicts its documented behavior: it only selects agents whose status is already 'online', but marks them 'offline' once they exceed the 90-second threshold. After that state transition, those agents are no longer included in subsequent stale-agent queries, so the 5-minute notification path is effectively unreachable. In a multi-agent coordination hub, this breaks expected liveness signaling and can cause silent loss of peer awareness, reducing reliability and weakening incident detection.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: `updateAgentTrustScore` is documented as "admin only" but enforces no authorization at all; any caller that can reach this function can arbitrarily raise or lower another agent's trust score. In this skill, trust score appears to influence agent reputation and possibly downstream coordination decisions, so unauthorized manipulation can subvert policy and enable abuse or denial of service against other agents.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: `setAgentRole` claims to be "admin only" but never checks whether `operatorId` belongs to an admin, only that the operator is not modifying themself and that non-admin targets cannot be promoted to admin. An unprivileged caller can still change other agents between `member` and `group_admin`, assign `managed_group_id`, and potentially demote admins to lower roles, resulting in privilege manipulation and control over multi-agent routing or administration.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: getMemoryStats() returns global counts for all agents and scopes without any caller identity, authorization check, or redaction. In a multi-agent communication and shared-memory hub, this enables cross-tenant metadata disclosure: even if memory contents are protected, per-agent counts and scope distribution can reveal activity levels, presence, and operational patterns of other agents.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: `checkPermission` effectively returns `true` for every registered `member` tool regardless of the caller's actual role, and it also allows access to any unregistered tool by default. In a multi-agent communication hub, this creates an authorization fail-open condition where low-privilege or malformed-role callers can invoke sensitive message, task, memory, file, and workflow operations that should be restricted.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The unauthenticated /health and /metrics endpoints disclose runtime, memory, database size/table statistics, active SSE connection counts, and hub metrics to any caller. For a multi-agent communication hub, this materially aids reconnaissance by exposing operational state and system footprint that can support targeted abuse, capacity attacks, or tenant/activity inference.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The unauthenticated /health and /metrics endpoints disclose operational details including uptime, memory usage, active SSE connections, database size, table stats, and hub-specific metrics. In a multi-agent messaging hub, this materially helps reconnaissance by revealing deployment shape, load, and internal state that can be used to time attacks, enumerate usage patterns, or infer sensitive system activity.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal