Back to skill

Security audit

Live Neon Persona

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for an external identity-discovery service, but it encourages proactive and scheduled upload of user-derived observations and can alter an agent's runtime prompt without enough privacy and approval guardrails.

Install only if you intend to use Live Neon as an external identity-discovery service for your agent. Do not send secrets, credentials, private customer text, regulated data, or confidential business context in observations, quotes, synced sources, or connected accounts. Review pending beliefs and responsibilities manually before approval, avoid approve-all, and enable heartbeat or proactive reporting only where recurring third-party data transmission is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The documentation introduces a recurring '/ln heartbeat' style workflow that performs observation upload, content sync, discovery, and prompt retrieval, despite that capability not being clearly declared in the manifest. Undeclared automation materially changes the risk profile because it encourages periodic autonomous data transmission and processing that users may not expect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly encourages sending user corrections and notable interactions to an external platform via '/ln observe' without warning that user-provided text may leave the local environment. This can cause inadvertent disclosure of sensitive prompts, personal data, or confidential business context to a third-party service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The scheduled heartbeat workflow normalizes automated upload of accumulated observations and syncing of external content, but it does not warn that this may continuously transmit sensitive user or organizational data to the platform. Because it is recurring and potentially unattended, the exposure risk is higher than one-off API calls.

External Transmission

Medium
Category
Data Exfiltration
Content
**Single observation:**
```bash
curl -s -X POST "$LIVE_NEON_BASE/observations" \
  -H "Authorization: Bearer $LIVE_NEON_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
98% confidence
Finding
curl -s -X POST "$LIVE_NEON_BASE/observations" \ -H "Authorization: Bearer $LIVE_NEON_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "agent_id": "'$AGENT_ID'", "content": "User cor

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 1. Report observations accumulated since last heartbeat
curl -s -X POST "$LIVE_NEON_BASE/observations" \
  -H "Authorization: Bearer $LIVE_NEON_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
98% confidence
Finding
curl -s -X POST "$LIVE_NEON_BASE/observations" \ -H "Authorization: Bearer $LIVE_NEON_TOKEN" \ -H "Content-Type: application/json" \ -d '{ "agent_id": "'$AGENT_ID'", "observations": [

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| Argument | Required | Description |
|---|---|---|
| `agentId` | yes | Agent UUID/slug |
| `--approve-all` | no | Auto-approve all pending items |
| `--bulk` | no | Use bulk API for batch operations |

**API calls:**
Confidence
89% confidence
Finding
Auto-approve

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.