AgentGuard by Nano

Security checks across malware telemetry and agentic risk

Overview

AgentGuard is a coherent security/credential tool, but its implementation has high-impact safety gaps around credential handling, shell execution, and external approval notifications.

Review carefully before installing. Use only with test credentials or in a contained environment until shell command construction is replaced with argument-based execution, the default master password is removed, secret output is opt-in, and Feishu payloads are redacted and destination-restricted. Do not enable dangerous auto-approve unless you fully control the agents and operations involved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (18)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The documentation introduces a credit-scoring and reputation system that expands the skill from permission guarding into behavioral trust scoring and privilege decisions. In a security middleware context, this is dangerous because the examples explicitly use the score to grant automation and elevated permissions, which can create insecure, gameable authorization paths and privilege escalation based on weak heuristics rather than explicit policy.

Context-Inappropriate Capability

Low

Confidence: 80% confidence
Finding: The marketplace-style ranking and comparison of agents encourages trust decisions based on comparative reputation rather than verified identity, policy, or least privilege. In this skill’s context, that can mislead operators into selecting or auto-trusting agents using superficial rankings, increasing the chance of over-trusting unsafe agents.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The tmux execution path launches shell commands built from interpolated strings and writes tmux sockets into a configurable directory, expanding the component from credential access into terminal/session orchestration. Because command fragments include user-influenced values such as account, item titles, references, and other arguments passed through execSync, this creates command-injection and session-hijacking risk around highly sensitive secret-handling operations.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill is positioned as a permission guardian, yet its recommendation engine directly suggests elevated permission levels such as 'admin' based on a simplistic reputation score. This creates an unsafe trust-to-privilege escalation path where behavior-derived scoring can be used to justify broader access without independent authorization controls, undermining least-privilege guarantees in a security-sensitive component.

Context-Inappropriate Capability

Medium

Confidence: 70% confidence
Finding: Cross-agent credit score comparison and ranking introduces profiling across multiple agents, which is broader than the guardian role and can expose sensitive operational metadata or enable inappropriate surveillance of agent behavior. In a system managing permissions, approvals, and audit trails, aggregation across agents increases the blast radius of any misuse because it centralizes comparative trust signals that could be used for unfair access decisions or information disclosure.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README demonstrates storing credentials directly on the command line and includes example secret material such as `sk-xxx` without a visible warning that shell history, process listings, logs, or copied examples can expose sensitive values. In a tool explicitly designed for credential management, this can normalize unsafe operator behavior and lead to accidental secret disclosure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document explicitly demonstrates retrieving a credential and notes that it directly outputs the secret value for scripting convenience, but provides no warning about terminal exposure, shell history, logs, or accidental disclosure. In a credential-management skill, normalizing plaintext secret output increases the chance that users or downstream agents will leak sensitive tokens during routine use.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The examples show setting a master password in an environment variable and storing API keys with placeholder values, but there is no visible warning about using real credentials safely. For a security-focused tool, this can encourage insecure operational habits such as leaving secrets in shell history, process environments, screenshots, or copied examples.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation instructs users to manually copy credentials from 1Password into AgentGuard and to pass a secret directly on the command line (`agentguard vault store my-agent API_KEY xxx`). Both practices can expose secrets through clipboard leakage, terminal scrollback, shell history, process arguments, screen recording, or shoulder-surfing. In a credential-management skill, normalizing insecure secret-handling workflows is especially risky because users may treat the example as recommended practice.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation shows approval requests and Feishu notifications containing operational details such as email recipients and subjects, but it does not warn users that these request contents are transmitted to a third-party messaging platform. In a security middleware skill focused on credentials, permissions, and human approval, omission of this data-flow disclosure can lead operators to unintentionally leak sensitive or regulated information into chat systems, logs, or broader Feishu visibility scopes.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The `vault get` command prints the retrieved credential directly to stdout, which can leak secrets into terminal scrollback, shell history workflows, logs, CI output, or parent-process captures. In a credential-guarding tool, exposing secrets by default materially increases the chance of accidental disclosure.

Missing User Warnings

Medium

Confidence: 100% confidence
Finding: The CLI falls back to a hardcoded master password (`default-password-change-me`) when `AGENTGUARD_PASSWORD` is unset, which can make all local encrypted data effectively protected by a known default secret. Even when the environment variable is used, relying on env vars for master secrets can expose them through process inspection, crash reports, or inherited environments; the dangerous part here is especially the insecure default.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The notifier includes request.details verbatim in approval messages, which can expose sensitive operational data, credentials, prompts, file paths, or other secrets to Feishu recipients and any external messaging infrastructure involved. In a credential-management and approval workflow skill, this is more dangerous because approval requests are likely to contain privileged context, making inadvertent data exfiltration a realistic risk.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: This code performs an outbound POST of approval content to a configurable remote webhook, creating a direct exfiltration path for approval data to leave the system boundary. In the context of an agent permission/credential guardian, outbound transmission of approval requests is particularly sensitive because these messages may contain privileged operational context, and the code does not enforce destination restrictions, payload minimization, or additional safeguards.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code silently retrieves or, if absent, generates and stores the vault master password in 1Password. That weakens the trust boundary of the local vault because the key protecting local secrets is automatically escrowed to an external secret manager without explicit user approval, changing the security model and potentially broadening access to all locally encrypted credentials.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The test script retrieves a real credential value and prints part of it to stdout. Even partial secret disclosure is risky because logs are often persisted, aggregated, or exposed to other users and can aid secret identification, correlation, or brute-force/token-format attacks; in a security-oriented credential-management skill, this behavior is especially inappropriate because it normalizes unsafe handling of secrets.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script hardcodes a Feishu openId and immediately enables external notifications to that recipient without any user-facing consent, warning, or environment gating. In a security-oriented skill that handles approvals and potentially sensitive operational metadata, this creates a real risk of unintended disclosure of approval requests, targets, or workflow details to an external account.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ## Dangerous Operations These operations always require human approval (unless policy is `auto-approve`): - `send_message`, `send_email` - `financial_transaction`
Confidence: 84% confidence
Finding: auto-approve

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal