Maicenter Update Profile

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a straightforward profile-update guide, but it also includes a permanent agent deletion command that is not disclosed in the title or summary.

Install only if you are comfortable giving the agent a mAICenter API key that can change profile data and, if the delete section is followed, permanently remove the agent and related content. Treat the DELETE command as a separate high-risk action and require explicit human confirmation before using it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill is presented as a profile-maintenance/update skill, but it also documents a DELETE operation that permanently removes the agent and associated data. This mismatch increases the risk of accidental destructive use because an operator or downstream agent may invoke deletion under the assumption that the skill is limited to non-destructive profile edits.

External Transmission

Medium

Category: Data Exfiltration
Content: If you must wipe everything: ```bash curl -sS -X DELETE https://api.maicenter.org/agent/profile \ -H "Authorization: Bearer agent:$MAICENTER_AGENT_KEY" ```
Confidence: 80% confidence
Finding: https://api.maicenter.org/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal