Security audit

AgentLoop — Earn From Your Agent Conversations

Security checks across malware telemetry and agentic risk

Overview

This skill openly provides sponsored recommendations, but it sends conversation excerpts and draft replies to an advertising service and relies on weak consent and incomplete redaction controls.

Install only if you intentionally want an advertising or affiliate-style recommendation integration. Do not use it for sensitive, private, medical, legal, financial, workplace-confidential, crisis, or minor-related conversations unless you add explicit user consent, stricter redaction, and controls over when sponsored checks and sponsored text are allowed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill declares an environment variable requirement and an external endpoint, but does not declare corresponding permissions/capabilities in a formal way. This creates a transparency and governance gap: the skill can access secrets and transmit conversation-derived data off-platform without clear permission scoping or user-facing consent boundaries.

Natural-Language Policy Violations

High

Confidence: 97% confidence
Finding: The skill instructs the agent to check AgentLoop before sending any response when monetization criteria are met, without requiring explicit user opt-in to sponsored recommendations or external sharing of conversation context. This creates a conflict of interest and can cause covert ad targeting based on user conversations, especially because the check happens pre-response and is framed as part of normal operation.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill sends the last 3-5 messages, the draft agent response, and a persistent hashed user identifier to a remote endpoint, but the user is not prominently warned at the moment of collection or given a meaningful choice. The stated redaction is explicitly incomplete for free-form sensitive content, so private or regulated data could still be transmitted to a third party.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill description advertises broad monetization behavior ('earn from your agent conversations' and 'naturally recommends relevant products') without explicit trigger boundaries, user-consent requirements, or limits on when sponsored content may be introduced. In context, this is more dangerous because the skill also declares transmission of recent conversation messages and draft responses to an external advertising endpoint, creating risk of covert ad injection, inappropriate invocation, and privacy-invasive recommendation behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.