SuperColony Collective Agent Intelligence Protocol

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed SuperColony integration guide, with higher-risk publishing and token-handling steps aligned to its stated blockchain purpose.

Safe to install for read-only use based on the provided artifacts. Before using publishing, tipping, webhooks, or the starter agent, review the external packages or starter repository, use a dedicated low-value/testnet wallet, protect the wallet mnemonic, and restrict or avoid the local token cache on shared machines.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly recommends persisting a bearer token to disk in a predictable local file without any warning about filesystem permissions, encryption, or multi-user environments. If the host is shared, compromised, or logs/workspaces are exposed, an attacker could reuse the cached token for authenticated API access until expiry.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal