Alephnet Node

Security checks across malware telemetry and agentic risk

Overview

The skill largely matches an AI-agent network product, but it grants broad local and server-side authority and overstates message encryption, so users should review it carefully before installing.

Install only in a dedicated sandbox or disposable workspace, not on a machine with private documents, SSH keys, cloud credentials, or production wallets. Do not rely on its direct-message encryption as implemented. Bind any server to localhost unless you have reviewed authentication, avoid ALEPH_DEV_NO_AUTH outside isolated development, and provide signing or cloud credentials only deliberately.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (184)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The export endpoint exposes comprehensive agent internals including memory phases, priors, biases, quarantine zones, and beacons, which could reveal sensitive reasoning state, embedded data, and security-relevant configuration. In an AI-agent network context, full state export materially increases the risk of data exfiltration, model cloning, and leakage of internal safeguards if access controls are weak or misapplied.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The import endpoint allows arbitrary reconstruction of agent state, including memory and quaternion/perception data, which creates a direct path for state injection, impersonation, corruption, or bypass of normal initialization and safety assumptions. In a system described as providing distributed memory and autonomous learning, this capability is especially dangerous because imported state may influence future decisions and propagate poisoned or attacker-crafted behavior.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The module hydrates signing identity from long-lived environment variables, including a private key. Environment variables are frequently exposed through process inspection, crash reports, debug tooling, container metadata, or inherited child processes, so loading raw private key material this way materially increases key-compromise risk in a wallet/signing module.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The claim path requires a `signature` parameter and even imports `verify`, but never validates that the claimant actually controls the identity associated with `nodeId` or `fingerprint` before transferring tokens. This allows an attacker to solve or replay challenges for arbitrary node IDs and receive faucet funds without proving ownership, undermining the faucet's core anti-abuse model and enabling unauthorized token distribution.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The start action launches a standalone server bound to 0.0.0.0, making it reachable from any network interface rather than only localhost. In an agent skill context, this unnecessarily broad exposure increases the attack surface and can permit unintended remote access if the service lacks strong authentication or is started in an untrusted environment.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The planner allows an LLM to generate steps that specify arbitrary tool names and parameters, and the executor later invokes those tools with little policy enforcement beyond existence/success checks. If untrusted user input or prompt-injected context influences planning, the model can select sensitive tools or dangerous parameters, leading to unauthorized actions, data access, or destructive operations.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The CLI exposes a pathway to execute model-generated markdown code blocks via /run, and the response renderer is explicitly configured with code execution support. In an LLM-driven interface, generated code is untrusted input; this creates a direct route from prompt output to local code execution, which can lead to arbitrary command execution, file access, credential theft, or system compromise.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: executeCodeBlock runs block.code through CodeRunner with no visible sandbox, validation, capability restriction, or trust boundary. If the model or a remote-influenced conversation produces a malicious snippet, the user is only one CLI command away from executing arbitrary local code, which is especially dangerous in a networked, tool-using agent context.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The CLI imports conversation history from remote seed nodes and persists it locally, effectively replicating potentially sensitive user/assistant content across nodes without strong scoping or trust controls. In a social/economic agent network this may be framed as synchronization, but importing chat history from peers expands the exposure of private data and creates opportunities for prompt/context poisoning.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The server automatically discovers Google credential files from environment variables or a default filesystem path and wires them into an external provider without explicit operator confirmation. This expands the skill's access to sensitive cloud credentials and external services, increasing the chance of unintended privilege use, data exfiltration, or surprise billing if the broader system or a compromised route later invokes that provider.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The debugLLM and debugPing endpoints actively test LLM connectivity and return internal connection details such as base URL, host, port, model name, and live response behavior. Even if intended for diagnostics, exposing this through observer routes increases the attack surface by leaking infrastructure details and enabling unauthenticated service probing.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The node information endpoint discloses network topology and connectivity metadata including seeds, coordinator URLs, websocket signaling URLs, STUN/TURN server data, room listings, and peer counts. This information can help an attacker map the environment, target signaling or relay infrastructure, and identify live network relationships beyond what a basic status endpoint needs to reveal.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The routes expose full agent state serialization and allow importing arbitrary agent state directly from request data, which creates a powerful state exfiltration and state injection surface. In this file there is no visible authentication, authorization, schema hardening, or integrity verification around these operations, so an attacker could steal sensitive internal state or create/manipulate agents with attacker-controlled cognition and configuration.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Multiple GET endpoints expose internal cognitive and runtime state such as beliefs, quaternion state, memory phases, beacons, attention, and serialized state. Given the skill description focuses on social/economic networking rather than public introspection of raw agent cognition, this broad exposure increases the risk of sensitive information leakage, model fingerprinting, and operational abuse if these routes are reachable by untrusted callers.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The system prompt explicitly instructs the agent to act autonomously, use tools immediately, and explore related files without confirmation. In combination with tool support, this creates a real risk of overbroad local file access and action-taking that is not justified by the skill's stated social/economic-network purpose, increasing the chance of prompt-induced data exposure or unsafe actions.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The tool executor is initialized with the current working directory and allowHomeDir: true, granting broad access to local files including potentially sensitive user data. This exceeds the described functionality of a social/economic agent network and materially increases the blast radius of any prompt injection, misuse, or model error.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This code combines broad filesystem scope with an autonomous agent configuration, enabling the model to explore local files with little friction. Because the skill's advertised purpose does not require unrestricted host inspection, the capability is unjustified and dangerous: an attacker or accidental prompt could cause exfiltration of secrets, SSH keys, tokens, or private documents.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The module persists full prompts and model responses to a local JSON cache file, which can store sensitive user data, secrets, internal context, or proprietary information well beyond the immediate query. Because this tool is explicitly designed to send arbitrary prompts to an external LLM, retaining raw inputs/outputs on disk materially increases exposure through local compromise, backup leakage, multi-user hosts, or accidental log/file sharing.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: This is a true issue: the assay does not merely observe the system, it actively mutates core semantic-field, memory, and boundary state via integrateStimulus(), memory.perturb(), and boundary.perturb(). In an agent/network skill, evaluation code that changes internal state can disrupt behavior, corrupt continuity, or create hard-to-diagnose side effects, especially if run on a live core rather than an isolated test instance.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: This finding is valid because the agency assay directly alters runtime behavior by changing HQE dimensions, modifying this.core.dt, and injecting a synthetic goal through agency.setGoal(). In the stated skill context of autonomous/social-economic agent infrastructure, code that can steer goals and constrain execution is more sensitive than ordinary benchmarking code because it can influence real agent decisions and availability.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: This is a real vulnerability: `authMiddleware` unconditionally skips all authentication when `process.env.ALEPH_DEV_NO_AUTH === 'true'`. If that flag is enabled in any non-isolated environment, every non-public endpoint becomes accessible without signature verification, which completely defeats the stated authentication model. In the context of an AI-agent network providing distributed memory, networking, and autonomous behavior, unauthorized access could expose sensitive node operations and enable abuse across the agent ecosystem.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The module advertises end-to-end encrypted direct messaging, but the implementation persists message content in plaintext and does not perform actual DM encryption. This creates a dangerous trust gap: users and integrators may send sensitive data assuming confidentiality, while any local process, backup, or filesystem compromise can expose message contents.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The code path explicitly acknowledges encryption should occur when identity is available, but then leaves `encrypted=false` and stores the plaintext content anyway. This means confidential messages are silently downgraded to cleartext, defeating the security model and enabling disclosure through disk access, logs, backups, or other components reading stored room data.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The CheckpointManager introduces persistent filesystem writes, metadata storage, deletion, and rollback behavior that materially expands the module's capabilities beyond in-memory holographic encoding. In an agent skill context, hidden persistence under the user's home directory can create confidentiality, integrity, and stealth risks, especially because checkpoint contents may include arbitrary state and are automatically retained and restored without explicit user approval.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The file header presents the module as a holographic encoding component, but the implementation also performs persistent storage and rollback management. This documentation/behavior mismatch is security-relevant because operators may approve or execute the skill under incorrect assumptions, enabling unexpected disk persistence of runtime state.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal