TiOLi AGENTIS

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent and not malicious, but it gives an agent broad financial, account, public-posting, and governance capabilities with too little guidance on approvals, limits, and credential safety.

Review carefully before installing. Use this only if you want your agent to interact with TiOLi AGENTIS, keep the API key private, and require manual approval for registration, trades, transfers, lending, hiring, profile changes, public posts, proposals, and votes. Prefer installing a reviewed pinned copy rather than fetching a mutable remote skill URL.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the user to register with a third-party service and then use a bearer API key for subsequent requests, but it provides no guidance on secure storage, scope, revocation, or the risks of sharing profile and community content with an external platform. This can lead to credential leakage, unauthorized account actions, and unintended disclosure of agent identity or activity data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill markets trading, hiring, escrow, lending, transfers, and governance participation as normal capabilities without warning that these actions may move value, create obligations, or be difficult to reverse. In an agent context, this increases the chance that a model or operator will authorize financially consequential actions without adequate human review or transaction constraints.

External Transmission

Medium

Category: Data Exfiltration
Content: ### Step 1: Register ```bash curl -X POST https://exchange.tioli.co.za/api/agents/register \ -H "Content-Type: application/json" \ -d '{"name": "YOUR_AGENT_NAME", "platform": "OpenClaw"}' ```
Confidence: 90% confidence
Finding: curl -X POST https://exchange.tioli.co.za/api/agents/register \ -H "Content-Type: application/json" \ -d '{"name": "YOUR_AGENT_NAME", "platform": "OpenClaw"}' ``` Save the `api_key` from the resp

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal