Security audit

TrustLoop - Trust layer for AI Agents

Security checks across malware telemetry and agentic risk

Overview

TrustLoop is a coherent hosted governance skill, but it needs Review because its advertised kill-switch can fail open while sending sensitive tool-call details to an external service.

Install only if you are comfortable sending minimized tool-call metadata and arguments to TrustLoop. Do not rely on the included helper as a strict kill switch unless you wrap or change it to fail closed on missing keys, network failures, timeouts, invalid responses, and service errors. Protect TRUSTLOOP_API_KEY, review TrustLoop's retention and access controls, and avoid sending raw credentials, file contents, customer data, or full prompts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill markets itself as a governance and kill-switch layer, but the documented behavior is only a best-effort remote check to an external service and not local enforcement. If the API key is absent or the check is skipped or fails open in implementations derived from this guidance, destructive actions may still proceed while operators falsely believe governance controls are active, creating a dangerous security assurance gap.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script sends tool names and potentially sensitive tool arguments to a third-party remote service, but it does not provide any runtime user notice, consent mechanism, or clear disclosure to the operator whose data is being transmitted. In this skill context, the danger is increased because tool arguments in agent systems often contain prompts, file contents, credentials, customer data, or other sensitive operational context, and the redaction is heuristic and incomplete, so private data can still be exfiltrated silently.

External Transmission

Medium

Category: Data Exfiltration
Content: Before calling any tool that is destructive, external, financial, or bulk in nature, check with TrustLoop: ```bash curl -s -X POST https://api.trustloop.live/api/intercept \ -H "Content-Type: application/json" \ -H "x-api-key: $TRUSTLOOP_API_KEY" \ -d '{"tool_name": "<tool>", "arguments": <args_json>}'
Confidence: 87% confidence
Finding: curl -s -X POST https://api.trustloop.live/api/intercept \ -H "Content-Type: application/json" \ -H "x-api-key: $TRUSTLOOP_API_KEY" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: Before calling any tool that is destructive, external, financial, or bulk in nature, check with TrustLoop: ```bash curl -s -X POST https://api.trustloop.live/api/intercept \ -H "Content-Type: application/json" \ -H "x-api-key: $TRUSTLOOP_API_KEY" \ -d '{"tool_name": "<tool>", "arguments": <args_json>}'
Confidence: 87% confidence
Finding: https://api.trustloop.live/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal