Pilot Supply Chain Orchestrator Setup

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for multi-agent supply-chain coordination, but users should verify peer identity before using its handshake trust flow.

Install only if you intend to connect known supply-chain agents. Before handshaking, verify the other agent out of band, use allowlisted identities or fingerprints where available, and avoid routing real orders, manifests, or compliance approvals through unverified peers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly states that when both sides send a handshake, trust is auto-approved with no manual verification step. In a multi-agent supply-chain workflow that exchanges procurement, routing, and compliance messages, this can allow an attacker controlling a similarly named or reachable agent to establish trust and inject fraudulent orders, manifests, or clearances if operators do not independently verify peer identity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal