Bs3

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its advertised agent-messaging and payment purpose, but it combines high-impact account, wallet, identity, and public-registration powers with security overclaims and weak defaults that need review.

Install only if you intend to give this skill agent identity, public discovery, social-account mutation, and payment capabilities. Use a dedicated environment, enable encrypted identity storage with a password, avoid storing funded private keys in config, keep TLS verification on, prefer dry-run modes first, disable Atlas auto-ping or UDP/webhook listeners unless needed, and review ~/.beacon for retained messages, keys, rules, and migration records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (85)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # Try getmac first result = subprocess.run( ["getmac", "/v", "/fo", "csv", "/nh"], capture_output=True, text=True,
Confidence: 98% confidence
Finding: result = subprocess.run( ["getmac", "/v", "/fo", "csv", "/nh"], capture_output=True, text=True, timeout=30,

Tainted flow: 'RELAY_HOST' from os.environ.get (line 55, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: } try: resp = requests.post( f"{RELAY_HOST}/beacon/relay/heartbeat/seo", json=payload, headers={"Authorization": f"Bearer {token}"},
Confidence: 90% confidence
Finding: resp = requests.post( f"{RELAY_HOST}/beacon/relay/heartbeat/seo", json=payload, headers={"Authorization": f"Bearer {token}"}, timeout=15,

Tainted flow: 'SSL_VERIFY' from os.environ.get (line 26, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: # Relay agents via discover try: resp = requests.get(f"{RELAY_HOST}/beacon/relay/discover?include_dead=true", timeout=10, verify=SSL_VERIFY) if resp.ok: relay = resp.json() if isinstance(relay, list):
Confidence: 96% confidence
Finding: resp = requests.get(f"{RELAY_HOST}/beacon/relay/discover?include_dead=true", timeout=10, verify=SSL_VERIFY)

Tainted flow: 'SSL_VERIFY' from os.environ.get (line 26, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: # Native agents — parse from sitemap try: resp = requests.get(f"{BASE_URL}/sitemap.xml", timeout=10, verify=SSL_VERIFY) if resp.ok: import re urls = re.findall(r"<loc>.*?/beacon/agent/([^<]+)</loc>", resp.text)
Confidence: 96% confidence
Finding: resp = requests.get(f"{BASE_URL}/sitemap.xml", timeout=10, verify=SSL_VERIFY)

Tainted flow: 'SSL_VERIFY' from os.environ.get (line 26, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: # Check HTML profile try: resp = requests.get(f"{BASE_URL}/agent/{agent_id}", timeout=8, verify=SSL_VERIFY) if resp.ok: html = resp.text stats["html_profile"] = True
Confidence: 97% confidence
Finding: resp = requests.get(f"{BASE_URL}/agent/{agent_id}", timeout=8, verify=SSL_VERIFY)

Tainted flow: 'SSL_VERIFY' from os.environ.get (line 26, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: # Check JSON profile try: resp = requests.get(f"{BASE_URL}/agent/{agent_id}.json", timeout=5, verify=SSL_VERIFY) stats["json_profile"] = resp.ok except Exception: pass
Confidence: 96% confidence
Finding: resp = requests.get(f"{BASE_URL}/agent/{agent_id}.json", timeout=5, verify=SSL_VERIFY)

Tainted flow: 'SSL_VERIFY' from os.environ.get (line 26, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: # Check XML profile try: resp = requests.get(f"{BASE_URL}/agent/{agent_id}.xml", timeout=5, verify=SSL_VERIFY) stats["xml_profile"] = resp.ok except Exception: pass
Confidence: 96% confidence
Finding: resp = requests.get(f"{BASE_URL}/agent/{agent_id}.xml", timeout=5, verify=SSL_VERIFY)

Tainted flow: 'SSL_VERIFY' from os.environ.get (line 26, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: presence = {aid: {"in_directory": False, "in_sitemap": False, "in_llms_txt": False} for aid in agent_ids} try: resp = requests.get(f"{BASE_URL}/directory", timeout=10, verify=SSL_VERIFY) if resp.ok: for aid in agent_ids: if aid in resp.text:
Confidence: 95% confidence
Finding: resp = requests.get(f"{BASE_URL}/directory", timeout=10, verify=SSL_VERIFY)

Tainted flow: 'SSL_VERIFY' from os.environ.get (line 26, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: pass try: resp = requests.get(f"{BASE_URL}/sitemap.xml", timeout=10, verify=SSL_VERIFY) if resp.ok: for aid in agent_ids: if aid in resp.text:
Confidence: 95% confidence
Finding: resp = requests.get(f"{BASE_URL}/sitemap.xml", timeout=10, verify=SSL_VERIFY)

Tainted flow: 'SSL_VERIFY' from os.environ.get (line 26, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: pass try: resp = requests.get(f"{BASE_URL}/llms.txt", timeout=10, verify=SSL_VERIFY) if resp.ok: for aid in agent_ids: if aid in resp.text:
Confidence: 95% confidence
Finding: resp = requests.get(f"{BASE_URL}/llms.txt", timeout=10, verify=SSL_VERIFY)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The replay-protection documentation appears internally inconsistent: it first recommends monotonically increasing nonces, then later says retries should reuse the same nonce for the same logical message. Without a clear distinction between duplicate-detection/idempotency semantics and strict nonce-uniqueness rules, implementers may build incompatible or unsafe replay defenses that either reject legitimate retries or accept replayed messages.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The /api/agents route is effectively broken because unrelated registration code and an early return make the advertised agent-listing logic unreachable. This can disable visibility into registered agents, mislead operators and clients, and create security blind spots where monitoring or trust decisions rely on incomplete data.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The XML output makes authoritative claims that an agent is 'verified' and includes a fixed verification statement even though the function performs no verification. In systems that ingest this output for ranking, trust decisions, or display, this can mislead downstream consumers into granting undue credibility to unverified agents, enabling reputation abuse and trust laundering.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The docstring promises a verifiable chain based on canonical interaction data, but the implementation mixes in the current timestamp and free-form event text. That makes the hash non-deterministic and not independently reproducible, so it cannot reliably serve as an audit proof; an attacker or buggy peer can exploit this gap to dispute, forge, or obscure history integrity claims.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The module-level documentation claims boundaries are signed with Ed25519 and immutable once signed, but the code contains no signature generation, attached signature fields, or signature verification on receipt. In a trust/accord system, this creates a serious integrity and authenticity gap: parties may rely on guarantees that do not exist, allowing forged, altered, or repudiated terms.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The module advertises that heartbeats are signed with Ed25519 identities, but neither `build_heartbeat` nor `process_heartbeat` performs signing or signature verification. In a liveness protocol, this means any party that can submit an envelope can spoof another agent's heartbeat, status, uptime, or health data, undermining integrity and potentially hiding outages or triggering false trust decisions.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Adding `seo_url` and `seo_description` fields to heartbeat payloads is unrelated to liveness tracking and creates a covert channel for propagating promotional or attacker-controlled content through relays and downstream consumers. If any UI, relay, or renderer republishes these fields without strict validation, the heartbeat mechanism can be abused for spam, phishing links, metadata poisoning, or content injection.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The `sponsor_veto` governance mode is described as allowing the sponsor to block actions, but the implementation unconditionally approves every action and has no mechanism to represent or enforce a veto. This creates a security/control gap where users or downstream systems may rely on human oversight that does not actually exist, enabling unauthorized agent actions under a false assurance model.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The code claims `multisig_2of3` requires approval from sponsor, agent, and one peer, but it actually accepts any two valid signers from the union of sponsor, agent, and all district agents. That lets two agents satisfy the threshold without sponsor participation, weakening the trust model and bypassing the documented human-in-the-loop control expected for co-ownership governance.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The code claims mnemonic/BIP39-style derivation but actually derives the Ed25519 private key as SHA-256(mnemonic phrase), which is nonstandard and misleading. Users may believe their seed is interoperable with wallet tooling or follows standard recovery semantics when it does not, increasing the chance of loss, misuse, or weaker-than-expected key-management assumptions.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The module docstring states the skill only reads existing data and never writes to those files, but the implementation persists analysis artifacts to insights.jsonl and insights_cache.json. This is dangerous because it creates undocumented local data retention and can mislead users or integrators about the skill's privacy and storage behavior, increasing the chance that sensitive interaction-derived metadata is stored without informed consent or proper controls.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The module presents the journal as a private reflective store that is 'never shared on the network', yet its auto-journal hooks ingest and persist externally sourced data such as agent IDs, task IDs, bounty text, and reward metadata. This creates a misleading trust boundary: operators or downstream code may treat the journal as purely internal/sensitive self-reflection when it actually contains untrusted external content, increasing the risk of privacy surprises, data poisoning, and unsafe reuse of journal contents elsewhere.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module advertises 'selective amnesia' and 'the right to be forgotten', but approval only sets flags (`amnesia=True`, `listed=False`) while the shard record and amnesia history remain on disk. This creates a privacy and integrity gap: users may rely on deletion semantics that are not actually implemented, leaving sensitive knowledge discoverable through direct state access, backups, logs, or future code paths.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The docstring and feature description claim amnesia 'costs 2x the shard purchase price', but `request_amnesia` merely calculates and returns the amount without verifying or collecting payment. That breaks the stated economic control, allowing unrestricted amnesia requests and undermining governance assumptions that are meant to deter abuse.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The docstring says events are appended only to the instance-specific data_dir, but __init__ uses data_dir or _dir(), which silently falls back to a global Beacon directory when no directory is provided. In a multi-skill or multi-tenant environment, this can cause task data to be written to a shared global location, enabling unintended data mixing, leakage, or state manipulation across runs or agents.

VirusTotal

2/63 vendors flagged this skill as malicious, and 61/63 flagged it as clean.

View on VirusTotal