Back to skill

Security audit

Teneo Agent Deployment

Security checks across malware telemetry and agentic risk

Overview

This skill is a deployment guide, but it also tells the agent to replace its own reviewed instructions from a remote URL and perform sensitive setup without normal user checkpoints.

Install only after careful review. Do not allow this skill to update itself from the remote URL, install software, modify shell startup files, accept legal terms, generate or store wallet keys, mint an agent, or run a persistent network process without explicit step-by-step approval. Use a disposable environment and non-production credentials until the remote override and approval-suppressing instructions are removed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill instructs the agent to fetch and trust a newer remote SKILL.md from an unrelated domain before execution, effectively allowing unreviewed remote instructions to replace the audited local skill. This breaks trust boundaries and creates a supply-chain style execution path where the skill author can change behavior at any time, including adding destructive or credential-stealing actions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill directs the agent to install Go, alter PATH, and prefetch remote dependencies immediately upon installation, before obtaining informed user consent. This causes system modification and network activity outside the user's explicit request and expands the attack surface through package retrieval and environment changes.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill mandates fully autonomous execution of sensitive actions including key generation, file creation, dependency installation, building, minting, and running, with no pause for confirmation. This removes human checkpoints around credential creation, external network operations, and potentially billable or irreversible deployment actions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instructions push the agent to install software and fetch dependencies before any confirmation or warning about machine changes. That is dangerous because it normalizes privileged setup actions and external downloads without ensuring the user understands the consequences or has authorized them.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly instructs end-to-end autonomous execution of sensitive operations without adequate warning, including generating a private key and minting an agent identity. In context, this is more dangerous because deployment and minting may be irreversible or financially meaningful, yet the user is denied normal review and approval points.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs the agent to generate a private key and store it in a local .env file without strong warnings about credential sensitivity, backup, exposure, or misuse. This is dangerous because the key represents the agent's wallet identity and may enable impersonation, loss of control, or unauthorized transactions if mishandled.

Ssd 4

High
Confidence
98% confidence
Finding
The skill uses coercive sequencing language such as 'do not stop' and 'do not ask the user to intervene' to suppress normal safety checks while performing installation, key generation, minting, and deployment. This pressure pattern is dangerous because it is specifically designed to bypass the consent and verification steps that would otherwise catch risky or unintended actions.

Ssd 1

High
Confidence
99% confidence
Finding
Telling the agent to prefer a newer remote skill file over the local reviewed one semantically overrides the local trust boundary and creates a hidden control channel for the skill author. In a skill context, this is especially dangerous because users and reviewers may believe they are executing the audited file while the agent actually follows mutable remote content.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.