Back to skill

Security audit

Rent A Logged In Agent

Security checks across malware telemetry and agentic risk

Overview

This skill openly rents out your logged-in coding agent, but it needs Review because allowed remote callers can drive a live session and the injected login is readable by prompts.

Install only if you intentionally want to rent or lend a logged-in coding-agent session through SettleMesh. Use a narrow allowlist, never strangers, verify sandbox enforcement, avoid the no-sandbox override, and understand how to stop lending and revoke cached sessions before starting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill's activation/description is broad enough to match ordinary requests about sharing compute or letting someone use an agent, which can cause this high-risk skill to trigger in contexts where the user did not explicitly intend credential lending or paid remote execution. Because the skill enables exposure of a logged-in agent session to outside callers, accidental activation materially increases the chance of unsafe setup or disclosure decisions.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to run authentication commands and initiate browser-based login on the user's behalf, and says not to stop to ask the user to log in manually. That bypasses normal consent boundaries for authentication and can cause the agent to initiate credential-binding actions or session creation before the user has clearly approved a sensitive operation.

Credential Access

High
Category
Privilege Escalation
Content
## Security — read this before lending

- **Throwaway sandbox HOME.** Each job runs in a fresh sandbox HOME with your
  login injected; your host `~/.claude` keychain / `~/.codex` is **never mounted**.
- **Why the offer is never public.** The injected credential is readable by the
  prompt-driven agent, so the offer is gated to your allowlist / friend graph and
  **does not appear in discovery**. Never lend to strangers.
Confidence
96% confidence
Finding
keychain

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.