Console Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent AI-agent integration guide, but it needs Review because its default source-code sharing and broad runtime-data examples can expose sensitive project data to external AI services.

Install only if you intentionally want a cloud-capable AI agent in your code. Before use, verify the external package source, pin versions, use a dedicated Gemini API key with budget limits, set includeCallerSource: false unless you explicitly need source context, avoid sending secrets or production data, and explicitly allow only the tools each call requires.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document states that tools are opt-in, but persona descriptions simultaneously advertise default tools and auto-selection behavior. That inconsistency can cause integrators to misunderstand when network access, code execution, or file analysis may occur, leading to unintended external actions or data disclosure in security-sensitive contexts.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The 'agent decides which tools to use based on the prompt' language conflicts with the earlier claim that tools activate only when explicitly enabled. In an agent framework, ambiguity about execution authority is security-relevant because developers may unknowingly permit web access or code execution when handling sensitive inputs.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill is marketed as a simple console-style utility, but the reference describes broad agentic capabilities including external web access, hosted code execution, file submission, and automatic source-code transmission. That mismatch increases the chance of unsafe adoption because users may treat it like harmless logging while it can send code and data off-box.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Automatically reading and sending the caller's source file to an AI service by default can expose proprietary code, embedded secrets, internal URLs, business logic, and security-sensitive implementation details without an obvious user-facing warning. In a drop-in library, such default exfiltration is especially dangerous because developers may invoke it casually during debugging or production incidents.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The examples normalize sending fetched URL content and uploaded files to the AI without emphasizing that documents and remote pages may contain confidential, regulated, or proprietary data. This can lead users to exfiltrate sensitive information to third-party services under the assumption that analysis is low-risk.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger guidance is unusually broad and maps the skill to generic requests like debugging, security audits, runtime analysis, and code review. That increases the chance the skill is invoked in many contexts where users may not realize code, logs, or operational data will be routed to an external AI service, expanding exposure and misuse risk.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The examples normalize sending arbitrary runtime data to Gemini with 'zero config' setup and do not present a prominent warning that prompts, context, and potentially source code may leave the local environment. Because includeCallerSource is enabled in configuration examples and cloud-backed execution is the default, developers may inadvertently disclose secrets, proprietary code, or user data.

Ssd 3

High

Confidence: 99% confidence
Finding: Automatic inclusion of caller source code creates a direct natural-language data exposure channel to the model provider. Source files often contain secrets, credentials, hidden endpoints, comments about infrastructure, or vulnerable logic; transmitting them by default materially increases confidentiality and supply-chain risk.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The configuration example explicitly enables automatic source-file reading and presents cloud use as normal operation. In practice, this can cause sensitive source code, secrets in nearby code, or business logic to be transmitted externally without users fully understanding the privacy consequences.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The best-practice and troubleshooting sections encourage passing request bodies, logs, environment information, and recent operational context directly to the agent. Even if anonymization exists, these examples teach developers to forward highly sensitive data classes that often contain PII, credentials, tokens, or incident details, creating a clear data leakage path.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The test/debug snippets pass full order data, payment results, batch inputs, and error collections to the agent. Test and staging datasets frequently contain realistic personal, financial, or regulated information, so these examples can lead teams to leak private transactional data to an external service during routine debugging.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal