Friends to the End

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed multi-agent handoff skill with no executable payload, though users should treat its broad trigger phrase and profile-cloning guidance carefully.

Install only if you use Hermes-style multi-agent workflows. Before using it, make sure another profile is invited only on explicit user intent, avoid cloning personal profiles with secrets unless necessary, and verify any cross-agent result before acting on it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 97% confidence
Finding: The alias/trigger phrase "wanna play" is broad, colloquial language that can easily appear in ordinary conversation unrelated to multi-agent handoff. In a skill system that activates based on natural-language triggers, this raises the chance of accidental invocation and unintended profile-to-profile collaboration, which could expand tool access or cause context sharing the user did not explicitly intend.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The phrase "or similar" makes the activation guidance open-ended and ambiguous, encouraging broad interpretation of user intent. For a skill that can coordinate multiple agents, hand off work, and potentially move context across systems, vague trigger criteria increase the risk of unintended activation and unauthorized or surprising behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal