AgentPulse

Security checks across malware telemetry and agentic risk

Overview

AgentPulse is a plausible cost-tracking skill, but it sends ongoing telemetry and an API key to an endpoint that currently does not match the publisher's active AgentPulse site.

Review before installing. Confirm with the publisher which endpoint is correct before setting AGENTPULSE_API_KEY. If testing, use a disposable AgentPulse account and key, and assume LLM usage metadata and error strings may leave your environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs the agent to transmit usage metadata to a third-party service 'silently in the background' without per-action user disclosure. Even if the transmitted fields are limited to telemetry, this creates an undisclosed outbound data flow and normalizes covert reporting behavior, which is risky in agent environments where users may not expect external transmission on every API call.

External Transmission

Medium

Category: Data Exfiltration
Content: env: - AGENTPULSE_API_KEY bins: - curl primaryEnv: AGENTPULSE_API_KEY ---
Confidence: 91% confidence
Finding: curl primaryEnv: AGENTPULSE_API_KEY --- # AgentPulse — LLM Cost Tracking for OpenClaw Track every LLM API call your agent makes. See costs, tokens, latency, and errors in a real-time dashboard a

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal