ClawHub

Know Your Agent (KYA) Implementation Playbook

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable KYA guide, but its production-facing examples cover payments, escrow, suspension, revocation, and signing credentials with conflicting sandbox guidance and several unsafe implementation gaps.

Review this as a high-impact implementation playbook, not a safe drop-in pipeline. Use sandbox endpoints and test credentials only, add explicit secret handling for signing keys, make identity and operator verification hard gates before any authority or SLA creation, require human approval for payment, escrow, suspension, and revocation actions, and validate the compliance, logging, reputation, and limit-enforcement code before using it with live agents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
This is a real security flaw in the documented pipeline: failed identity verification does not halt onboarding, so the agent can still proceed through later steps and potentially end up approved. That breaks the core trust boundary of KYA by allowing unverified agents to receive authority scopes and operate despite a failed cryptographic proof-of-control step.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code claims to reduce limits after a high-severity anomaly but only records metadata, leaving the actual authority scope unchanged. This creates a dangerous mismatch between operator expectations, audit logs, and enforcement reality, allowing suspicious agents to continue transacting at original limits.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The production helper advertises multi-jurisdictional compliance checks but ignores the requested jurisdictions and performs only a generic check. This can create false assurance of regulatory coverage, causing agents to be onboarded or kept active without the specific controls required for EU, FCA, or CMA obligations.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The guide says reputation scoring uses six dimensions, but the production pipeline uses only three coarse inputs. In a governance pipeline, that discrepancy weakens risk assessment and can under-detect risky agents or over-trust agents lacking key evidence such as dispute history, identity strength, or SLA compliance.

Missing User Warnings

Low
Confidence
78% confidence
Finding
Referencing a signing key credential in documentation without explicit secure-handling guidance can normalize unsafe practices such as embedding secrets directly in examples, logs, or local configs. In a security-focused skill, omission of secret-handling warnings is more concerning because readers may copy patterns into production systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Stating that examples run against a production endpoint without a strong warning encourages users to execute sample code against live systems, potentially creating real registrations, audit records, revocations, or financial actions. Because the guide is framed as production-ready and includes operational workflows, this materially increases the risk of accidental impact to live data and services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal