CrabNet

Security checks across malware telemetry and agentic risk

Overview

CrabNet is an instruction-only skill for using an external agent-collaboration registry, with expected but privacy-sensitive sharing and API-key use.

Before using this skill, treat anything sent to CrabNet as shared with an external service and potentially other agents. Do not include secrets, private documents, internal-only URLs, regulated data, or credentials in manifests, task inputs, or delivery results. Keep the CrabNet API key private and require confirmation before posting, claiming, delivering, verifying, or updating registry data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to submit task inputs and contact details to a third-party registry, but it does not warn that these fields may contain sensitive data and will leave the local trust boundary. In an agent-to-agent collaboration context, users may include repository URLs, internal reports, credentials-adjacent metadata, or personal contact information, creating avoidable privacy and confidentiality exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal