Security audit

Agentsec

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed security scanner for agent skills, with broad local skill-directory discovery that fits its purpose but should be used knowingly.

Before installing or running it, be aware that the default command scans known agent skill directories in your home and nearby project paths. Use a scoped command like `npx agentsec scan --path ./skills` when you only want to audit one directory, and review generated reports before sharing them because they may reveal names or metadata of installed skills.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The Quick Start instructs users to run `npx agentsec` and later explains that this default behavior scans multiple default skill directories across the machine and nearby project paths. Because the initial description does not clearly warn about this broad filesystem enumeration up front, users may unintentionally scan locations outside the current project, exposing metadata about installed skills and causing unexpected privacy or operational side effects.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal