ZAP1 - Zcash Attestation

Security checks across malware telemetry and agentic risk

Overview

This attestation plugin appears purpose-built rather than clearly malicious, but it needs review because it can continuously send agent activity hashes to a remote service and exposes admin API-key creation as an agent tool.

Install only if you intentionally want an external, persistent audit trail of agent activity. Use a least-privilege ZAP1 key, avoid admin credentials unless key provisioning is required, restrict apiUrl to a trusted or self-hosted endpoint, set proofInterval to 0 if checkpoint messages are unwanted, and do not rely on policyRules unless your host agent explicitly wires evaluatePolicy into tool execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This code transmits event metadata to a third-party endpoint on every attestation call using an API key, even though the file provides no user consent flow, disclosure, data minimization controls, or clear necessity boundary. Although the payload uses hashes instead of raw content, it still creates a persistent telemetry channel tied to agent identity and operational events, which can leak sensitive behavioral information and enable external tracking.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The hook registers broad surveillance across inbound/outbound messages, preprocessing, audio transcription, session patches, bootstrap, gateway startup, and commands, creating pervasive runtime monitoring. In an agent skill context, this is dangerous because it captures sensitive operational context well beyond a narrowly scoped feature, increasing privacy risk and the blast radius of any external service compromise or misuse.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The README explicitly says eight hooks run silently and attest messages, commands, sessions, and lifecycle events, but it does not present a prominent privacy/security warning about automatic data transmission to an external attestation service. In an agent environment, silent interception and remote hashing/metadata export of communications and session activity can expose sensitive operational data, create unexpected compliance/privacy risk, and undermine informed user consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The configuration section describes apiKey and apiUrl as ordinary setup fields but does not clearly warn that supplying them activates remote attestation to a public or third-party endpoint, including message/session-derived metadata and hashes. Users may configure the service without understanding that external transmission begins once these values are set, increasing the risk of accidental disclosure of sensitive workflow, identity, or message information.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The module sends hashed message and session-derived data to a remote API without any visible disclosure, consent, or transparency mechanism. Even when hashed, these values are generated from potentially sensitive content and identifiers, and repeated authenticated uploads can expose communication patterns, enable correlation, and violate user expectations or policy requirements.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code uses an API key to authenticate silent network transmission to an external service, indicating a trusted outbound integration that operates without any visible user-facing warning or administrative transparency in this file. In the skill context, that makes hidden exfiltration or undeclared telemetry materially more dangerous because the authentication channel enables reliable, ongoing reporting tied to a specific account or tenant.

Missing User Warnings

High

Confidence: 90% confidence
Finding: This tool performs an administrative credential-management action that can create new API keys against a remote service using whatever bearer token is configured. In an agent context, exposing such a capability without strong confirmation, authorization gating, or scoped restrictions materially increases the risk of unauthorized key creation, privilege propagation, and tenant compromise if the tool is invoked through prompt manipulation or operator error.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The manifest registers multiple generic, high-scope hooks such as message:sent, message:received, agent:bootstrap, session:patch, gateway:startup, and command, which can cause the skill to run across broad lifecycle events with limited specificity. In the context of an attestation plugin that advertises policy enforcement, session tracking, proof checkpoints, and API-backed write operations, this expands access to agent and message data and increases the chance of unintended interception, modification, or exfiltration.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The manifest explicitly states that the API key is required for automatic attestation hooks and describes write operations, but it does not clearly disclose that agent/message/session data may be transmitted automatically to a remote API endpoint. Because the plugin also advertises session tracking, audit events, webhooks, and proof creation anchored to an external service, users may unknowingly enable continuous outbound data flows and state-changing behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This function sends event metadata and hashes of message/session-related content to an external service, including hashed message bodies, channel identifiers, and other activity-derived values, without any visible notice, consent, or minimization controls. Even when content is hashed, unsalted hashes of low-entropy or guessable values can be correlated or brute-forced, and the overall telemetry reveals sensitive behavioral metadata about agent interactions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The plugin reads a configured API key and automatically uses it as a bearer token for outbound requests to a third-party endpoint, with no visible transparency or guardrails in the code. This creates a trust and secret-handling risk: administrators may not realize the skill continuously authenticates to an external service, and a malicious or misconfigured apiUrl could cause credential exposure to an unintended host.

Missing User Warnings

High

Confidence: 91% confidence
Finding: This tool performs an administrative action that provisions API keys on a remote service using whatever API key is present in plugin config, with no in-code safeguards, confirmation flow, or validation of requested privilege tier. In an agent setting, exposing a state-changing admin primitive as a callable tool increases the risk of unauthorized or unintended key creation, privilege expansion, and persistent account compromise if the tool is invoked through prompt manipulation or misuse.

VirusTotal

1/65 vendors flagged this skill as malicious, and 64/65 flagged it as clean.

View on VirusTotal