Back to skill

Security audit

Agent Collaboration Protocol

Security checks across malware telemetry and agentic risk

Overview

This skill is a mostly transparent multi-agent build workflow, but it also directs agents through live deployment changes and service restarts without a clear approval gate.

Install only if you want an agent workflow that may coordinate both code generation and deployment activation. Treat the deploy section as manual guidance: review diffs, run tests, confirm the target environment and paths, and explicitly approve any copy, symlink, server config, or restart action. Do not put real credentials or production secrets in shared specs or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill is framed as a collaboration/orchestration protocol, but it includes concrete deployment actions against live server paths: copying into active trees, swapping symlinks, restarting services, and performing rollbacks. Those actions materially change production state and expand the blast radius from code generation to live operations, which is dangerous if invoked automatically, by the wrong user, or against the wrong path.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The documented purpose is multi-agent backend/frontend collaboration, yet the file grants infrastructure and service-management behavior such as deployment-target changes and service restarts. This scope creep makes the skill capable of operational changes unrelated to mere coordination, increasing the chance that an orchestrator uses it to perform privileged actions without the safeguards normally expected for deployment tooling.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
Early sections state both builders write within an isolated shared build directory, but the later filesystem conventions say the human-facing workspace symlink points to the live deployment and that editing there writes to the live build. This inconsistency can cause operators or agents to believe they are modifying an isolated staging area when they are actually changing active code, leading to accidental production modification.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill prescribes safety-critical changes—integrating files into live trees, updating deployment targets, and restarting services—without an explicit pause for user confirmation or a warning about service disruption risk. In agentic contexts, omission of confirmation is dangerous because routine build tasks may cascade directly into downtime or production changes with no human checkpoint.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.