Agent Swarm Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed automation skill, but it can autonomously edit, push, create, and merge code with broad local and account-level authority.

Install only if you intentionally want autonomous coding infrastructure with access to your local repositories, AI-tool sessions, Git provider credentials, Obsidian task notes, and notification destinations. Use dedicated low-privilege Git and AI accounts, start with test repositories, keep the Obsidian intake folder controlled, review cron entries before enabling them, and add confirmation gates for repo creation, pushes, merges, cleanup, and external notifications.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill clearly enables shell execution, file reads, and file writes across local repos, worktrees, task state, and notification flows, yet it declares no explicit permissions or constraints. This creates a dangerous mismatch: an invoking system or user may treat the skill as low-risk while it can perform high-impact actions such as spawning agents, merging code, modifying repositories, and sending external messages.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The coding and review helpers invoke external AI agents with explicit flags that disable approval and sandbox protections, allowing generated or prompt-driven actions to execute with the full privileges of the host environment. In an orchestration skill that processes task intake, repositories, and merge flows across multiple projects, this materially increases the risk of prompt-injection-driven code execution, credential access, repository tampering, and destructive local actions.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are extremely broad and include common conversational words like "merge," "spawn," and "check status," which can match benign discussion rather than an intentional command. In this skill, those phrases map to real shell actions affecting GitLab merge requests, task spawning, and monitoring, so accidental activation could change repository state or launch automation unexpectedly.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to execute merge, spawn, status, and project-creation actions immediately without confirmation. Because these actions invoke shell scripts that can merge code, create branches/worktrees, and alter project state, a mistaken or maliciously crafted prompt can cause irreversible operational changes before the user has a chance to review them.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The review helper sends the contents of a local prompt file to external AI services without any disclosure, consent check, or content filtering. Because prompt files in this workflow may contain code, secrets, internal issue text, or proprietary repository context, this creates a real data-exfiltration and compliance risk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The notification helper forwards arbitrary message content to external channels or webhooks without any visible disclosure, sanitization policy, or destination validation. In this orchestration context, notifications may include task details, repository names, MR links, review summaries, or error output, which can leak sensitive internal data to unintended recipients.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This script performs destructive operations on local filesystem and git state, including force-removing an existing worktree, recursively deleting the worktree directory as a fallback, and force-deleting a branch. Although arguments are quoted and the behavior appears intended for automation, the lack of an explicit confirmation gate or safety checks means a misconfigured registry, unexpected path value, or task/branch collision could delete local work or corrupt a repository checkout.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ## Intent → Action Mapping When a user message matches one of these intents, take the corresponding action immediately without asking for confirmation: | User says | Context | Action | |-----------|---------|--------|
Confidence: 95% confidence
Finding: without asking

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal