Back to skill

Security audit

Alibabacloud Agentloop Experience

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed AgentLoop memory lookup skill that sends approved recall queries to a configured endpoint and shows no hidden persistence, destructive behavior, or secret exfiltration.

Use this skill only when you want AgentLoop recall. Configure credentials in the documented recall.env or environment variables, approve only query text you are comfortable sending to the configured endpoint, and avoid setting AGENTLOOP_CONFIRM_OUTBOUND=true unless the environment operator has intentionally approved automatic recall calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to read credentials and endpoint configuration from environment sources such as `recall.env` and process environment variables, but no explicit permissions are declared for that capability. This creates a transparency and policy gap: a reviewer or runtime may not realize the skill can access sensitive configuration, increasing the risk of unintended secret exposure or unauthorized outbound use.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger description is broad enough to activate on common requests like checking, searching, recalling, or looking up prior experience, which can cause the skill to run in many ordinary conversations. Because the skill performs outbound recall queries containing user task text, over-triggering increases the chance of sending unnecessary or sensitive contextual data to an external endpoint under ambiguous user intent.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.