COMCOO Arbiter Meta-OS

Security checks across malware telemetry and agentic risk

Overview

This skill is a conceptual/demo bundle with broad governance-themed claims, but its code only logs simulated actions and does not access data, credentials, networks, or persistence.

Safe to install from a technical security standpoint, but treat it as a manifesto or simulation rather than a real cryptographic attestation, labor-credit, governance, or compliance system. Do not rely on its console output as proof that work, identity, credit, or infrastructure claims were actually verified.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The file presents itself as performing ethical work validation and verifying '60 Human Moments,' but the implementation only emits console messages based on a hardcoded local object and a simple heatscore threshold. This mismatch can mislead users or downstream systems into treating unverifiable claims as authenticated results, enabling trust abuse, false attestation, or audit bypass if integrated into a larger workflow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal