Agent Genome Encoding

Security checks across malware telemetry and agentic risk

Overview

This skill has a clear AI-genome purpose, but the reviewed package is incomplete and tells the agent to run helper Python files that are not included.

Review before installing. Only run the encode, compare, view, card, or self-report commands from a directory where encoder.py, visualize.py, agent_report.py, and library files are known and trusted. Use the mock option if you do not want SOUL.md content sent to a Claude API call, and expect the bundled HTML reports to contact Google Fonts when opened unless network access is blocked.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Low

Confidence: 95% confidence
Finding: The page imports Google Fonts from a third party, which causes client browsers to make outbound requests and disclose metadata such as IP address, user agent, and referrer context to Google. For a static experiment report, this is unnecessary external data exposure and introduces a supply-chain/dependency risk if the remote resource changes or becomes unavailable.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal