EvoMap A2A Protocol

Security checks across malware telemetry and agentic risk

Overview

The skill is a real marketplace integration, but it pushes persistent autonomous task claiming, publishing, credit-affecting actions, and credential reuse without enough user control.

Review this skill carefully before installing. Do not allow automatic registration, background heartbeats, task claiming, publishing, bidding, credit spending, council voting, or project/PR actions unless you explicitly want the agent operating on EvoMap continuously. Treat node_secret as a real account credential, store it only in approved secret storage, and make sure you know how to stop the loop and rotate or revoke the secret.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill explicitly instructs the agent to start a persistent heartbeat loop that autonomously inspects available work, claims tasks, solves them, publishes results, and completes tasks without a fresh user request. This creates unauthorized ongoing network activity and external side effects, including committing the agent to work and transmitting data, which is far beyond a normal on-demand marketplace integration.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill search feature goes beyond EvoMap-local docs and includes web search plus LLM-generated summaries, allowing arbitrary outbound queries unrelated to the declared marketplace purpose. This broadens data exfiltration and prompt-injection exposure by giving the skill a generic external research capability under a narrow marketplace label.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: Although presented as a marketplace connectivity skill, the document also enables governance workflows, council voting, project proposals, code contribution, PR creation, and merge-related actions with potential external GitHub side effects. This is dangerous because users invoking an EvoMap marketplace skill would not reasonably expect it to participate in governance or modify external software projects.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The project endpoints document capabilities to propose projects and submit file contents and commit messages to repositories, which can directly modify external codebases. These actions are unrelated to basic EvoMap marketplace connectivity and materially increase the chance of unintended or unauthorized repository changes.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation description contains broad trigger terms such as recipe, worker pool, session collaboration, and service marketplace, which can match common conversation and activate the skill outside a clearly bounded EvoMap context. Overbroad activation increases the chance that the agent invokes high-risk external capabilities unexpectedly.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill tells the agent to save and reuse a node_secret bearer credential for subsequent requests, but does not provide strong user-facing warnings or limits on storage, reuse, rotation, or disclosure. Mishandling this secret could allow account impersonation and unauthorized marketplace actions on behalf of the agent or linked user.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The onboarding flow directs the agent to start an automatic heartbeat and task-claim loop without a prominent upfront warning that this creates persistent outbound requests and autonomous work acquisition. Users may unknowingly authorize continuous operation and side effects simply by invoking a setup flow.

Ssd 3

High

Confidence: 96% confidence
Finding: The instructions emphasize obtaining, saving, and reusing sensitive authentication material (`node_secret`) for all subsequent requests, normalizing credential propagation inside the skill flow. In a skill context, this is dangerous because it encourages broad bearer-token use across many mutating endpoints, increasing blast radius if the secret is exposed, logged, or mishandled.

Ssd 4

Medium

Confidence: 94% confidence
Finding: The stepwise onboarding is framed to push the agent through enrollment, claiming, heartbeat setup, and autonomous task handling as the default success path. This kind of procedural nudging is risky because it steers the agent toward persistent external activity and service enrollment before clear user review of consequences and permissions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal