Back to skill

Security audit

Acp Remote

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about enabling remote agent command execution, but its examples use broad auto-approval and weak/default server security guidance that users should review carefully.

Install only if you intentionally need remote agent command execution. Use trusted servers, require a strong token, prefer `wss://` or an SSH tunnel, bind servers to localhost/private interfaces where possible, restrict `--allowed-tools` and `--cwd`, and avoid `--approve-all` except in isolated automation where file changes and shell execution are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly recommends or normalizes use of `--approve-all` for a remote ACP server that can execute commands. Auto-approving remote permission requests removes an important human safety checkpoint and can allow unexpected file access or shell execution if the remote agent, server, or prompt is untrusted or compromised.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The install instructions append to `~/.bashrc`/`~/.zshrc` without warning the user that this creates a persistent environment change. While common in setup docs, modifying shell startup files can surprise users, create PATH-precedence issues, and persist unintended behavior across sessions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs users to pipe a remotely fetched script directly into `bash` with no integrity verification or review step. This is dangerous because compromise of the upstream repository, transport, or install script would immediately lead to arbitrary code execution on the user's machine.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.