Back to skill

Security audit

oo

Security checks across malware telemetry and agentic risk

Overview

This skill is for remote agent delegation, but it can install software, create a persistent agent identity, and send local context to remote agents without a clear confirmation step.

Install only if you intentionally want your agent to delegate tasks to ConnectOnion agents you trust. Review any install or identity-creation step first, avoid sending secrets or private file contents, and prefer explicit confirmation before each remote connection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill directs the agent to modify the local environment by installing a package and generating identity keys (`pip install connectonion`, `co init`) before performing the core task. That exceeds a narrow delegation/connect action and can create persistent state, trust material, and supply-chain exposure on the host without clear user confirmation.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger description is broad enough to activate not only for connecting to a remote agent but also for general requests about setting up a ConnectOnion environment. That increases the chance the skill runs in contexts where users did not intend package installation, key initialization, or outbound remote-agent communication, expanding attack surface and enabling unintended side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs execution of a generated Python script that performs outbound network discovery, direct WebSocket connections, relay fallback, and sends the user's task text and local agent identity to a remote third party. Because it lacks a mandatory disclosure/consent step, sensitive prompts, context, or internal data could be exfiltrated to an untrusted remote agent or endpoint, including potentially private/local addresses returned by relay discovery.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.