AgentDeals

Security checks across malware telemetry and agentic risk

Overview

AgentDeals provides useful read-only deal-search tools, but its artifacts show under-disclosed telemetry that logs and publicly exposes user queries and session metadata.

Use Review caution before installing. The deal lookup behavior is read-only and purpose-aligned, but assume your vendor searches, stack audits, use cases, client details, and session identifiers may be sent to the hosted service, logged, and potentially exposed through public telemetry endpoints. Avoid using it for confidential stack plans or internal vendor evaluations unless the publisher removes or gates the log/analytics endpoints, corrects the privacy disclosure, and adds minimization and retention controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The OpenAPI spec advertises a deal search/comparison service, but it also exposes operational telemetry endpoints for query logs, pageviews, and service stats. This broadens the skill's capability surface beyond its stated purpose and can enable unnecessary access to internal usage and user interaction data, which is risky even if not directly exploitable on its own.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The public /api/query-log endpoint exposes recent request parameters, user agents, endpoints, result counts, and session IDs. For a public unauthenticated API, this creates a direct privacy and reconnaissance issue: attackers or curious users can inspect other users' activity patterns, harvest identifiers, and learn how the service is being used.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The pageview analytics endpoint exposes traffic and referrer data unrelated to the declared deal-search function. While less severe than raw request logs, referrer and page analytics can still reveal user behavior, traffic sources, and potentially sensitive organizational usage patterns that should not be public by default.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The service statistics endpoint exposes operational/session metrics persisted in Redis, including client usage counts and session totals. Although not as directly sensitive as request logs, this still reveals internal operational information that can aid profiling, fingerprinting of client populations, and service reconnaissance.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The telemetry module defines and persists request-level fields including arbitrary params, user_agent, session_id, client_info, page paths, and referrer-derived domains, which goes beyond aggregate operational metrics. In a developer-deals search skill, these fields can reveal user behavior, client identity, and potentially sensitive query contents if parameters contain search terms or internal project data, creating unnecessary data collection and retention risk.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The file header explicitly claims no PII is collected and only aggregate counts are stored, but the implementation records request-level metadata and client-identifying information in Redis. This mismatch is dangerous because it can mislead reviewers, operators, and users into underestimating privacy exposure and approving deployment without appropriate notice, controls, or data handling safeguards.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger condition is broad enough to activate on generic 'vendor risk' or pricing-related questions, which can cause the skill to run when the user did not intend a pricing-change lookup. This can lead to unnecessary external tool use, irrelevant responses, and over-collection of context, though it does not by itself create direct code-execution or data-exfiltration risk.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The spec describes a public endpoint returning request parameters, user agents, and session identifiers, yet provides no warning, privacy notice, or indication of access control. This is dangerous because it normalizes disclosure of user-derived telemetry to any caller, increasing privacy harm and enabling enumeration of recent user activity.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The analytics endpoint exposes pageview and referrer data without any privacy disclosure in the spec. Even aggregated analytics can reveal how users arrive at and interact with the service, and the absence of disclosure is especially problematic for a skill whose expected purpose does not imply public analytics exposure.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The tool handlers repeatedly call logRequest with raw user-supplied parameters such as query, vendor names, services, and a session_id. Even though this is an analytics feature rather than overtly malicious behavior, it creates a privacy and data-governance risk because user inputs may contain sensitive business context, internal stack details, or identifiers, and the file shows no minimization, consent notice, or redaction before persistence.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The server card advertises a streamable HTTP endpoint with authentication.required set to false, which means prompts, tool arguments, and resource requests may be transmitted to the server by any client without an access-control barrier. In this skill's context, inputs can include vendor watchlists, cost audits, and project descriptions, so exposing unauthenticated network access increases the chance of unintended data disclosure, abuse, and unauthorized use.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The request logging path forwards potentially user-supplied params, user agent strings, session identifiers, and client information to Upstash Redis without any evidence here of minimization, sanitization, or user-facing disclosure. Because this skill's core purpose is searching and comparing deals, logging full request context is not necessary for functionality and may expose sensitive search intent or identifying metadata to third-party storage.

Ssd 3

High

Confidence: 99% confidence
Finding: The spec explicitly states no authentication is required and includes an endpoint that returns recent request logs with parameters, user agents, and session IDs. In this skill context, that is especially dangerous because users expect deal lookup functionality, not cross-user telemetry exposure; the mismatch makes the data disclosure unjustified and materially increases privacy and abuse risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal