Agent Identity

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: create and manage agent cryptographic identities, with the main risk being how users store generated private keys.

Install only if you need an agent identity/key-management helper. Use encrypted private keys where possible, avoid passing passwords on the command line, keep the keys directory private, and do not sync or share generated private keys casually.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The tool allows private keys to be written to disk with NoEncryption() when no password is supplied, and it provides no strong runtime warning or safe default. If those files are exposed through local compromise, backups, shared volumes, or permissive filesystem access, an attacker can impersonate the agent and forge signatures.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal