agpair

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed instruction-only bridge for using the agpair CLI with Antigravity, with no bundled code or hidden behavior found.

Install this only if you intentionally use agpair and trust the agpair CLI and Antigravity executor. Use explicit requests such as “use agpair,” review logs and evidence before acting, and require human confirmation before approving, retrying, or using force-like recovery on important repositories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The description says the skill can 'Bridge any AI coding agent to Antigravity executors' and supports broad task dispatch and control flows without clearly constrained activation boundaries. In a shell-permitted skill, overly broad invocation language increases the chance of accidental or overly permissive triggering, which could cause unreviewed delegation of coding tasks or command-driving behavior to an external executor.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal