Security audit

Agent-to-Owner File Bridge

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed file-sharing bridge, but users should approve only specific files and be cautious with temporary public tunnels and bridge keys.

Install only if you need an agent-to-owner file sharing bridge. Prefer manual hosting on infrastructure you control, approve each file and destination, avoid sensitive data unless necessary, keep API keys out of URLs, review external server.py before autonomous mode, and close tunnels/delete temporary keys after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill is presented primarily as a file-sharing/upload bridge, but its documented API also exposes listing and deletion operations. That expands the effective capability from one-way export to remote file management, which can surprise users, increase blast radius if credentials leak, and enable unauthorized enumeration or deletion of uploaded content.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The autonomous workflow instructs the agent to start a local server, generate credentials, and expose it through a public tunnel. Even with approval language, this materially increases attack surface beyond simple file upload by creating an externally reachable service from the agent environment, which may be misconfigured, abused, or used to expose unintended data.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The documented capabilities go beyond a narrow agent-to-owner file handoff and include listing, viewing, deep-linking into ZIP contents, and deleting files. That broader file-management surface increases the chance an agent will expose, browse, or manipulate files in ways not strictly required for a one-way owner delivery workflow.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The instructions explicitly tell the agent to run its own server and expose it through a zero-auth public tunnel. This creates an internet-reachable service from the agent workspace, substantially increasing the risk of unauthorized access, data exposure, and abuse of any files made available through that bridge.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger phrases are broad enough that the skill may activate in many ordinary file-related conversations, potentially causing the agent to propose or initiate a network-sharing workflow when the user only intended local handling. In a skill that can export data and potentially expose services, overbroad activation increases the chance of unintended disclosure or risky setup prompts.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The invocation guidance is broad enough that an agent may decide to host and expose a transfer bridge in many normal interactions without a clear security threshold or approval step. In this skill context, that increases the likelihood of risky deployment behavior becoming routine rather than exceptional.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The delete capability is documented as a normal API action but provides no warning, confirmation, or ownership validation guidance. An agent following these instructions could delete files prematurely or based on ambiguous prompts, causing data loss or disrupting the owner's ability to retrieve outputs.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: The guidance to use a 'zero-auth free tunnel' directly undermines the same document's expectation of API-key-based authentication. Even if the upload API has some authentication options, publicly exposing the service through an unauthenticated tunnel weakens access control and can make sensitive file endpoints reachable by unintended parties.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal