Aip Identity

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it needs review because some sensitive identity and messaging behaviors are broader or less protected than users would reasonably expect.

Review before installing. Use it only if you are comfortable with a local plaintext private key controlling your AIP identity, vouches, signatures, messages, and key rotation. Prefer secure registration, protect aip_credentials.json with strict filesystem permissions, avoid untrusted AIP_SERVICE_URL values, avoid sending sensitive replies until plaintext reply behavior is clarified or fixed, and treat list/trust-graph as broad discovery features.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (10)

Tainted flow: 'req' from os.environ.get (line 106, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: req = urllib.request.Request(url, data=body, method=method, headers={"Content-Type": "application/json"} if body else {}) try: with urllib.request.urlopen(req, timeout=15) as resp: return json.loads(resp.read()) except urllib.error.HTTPError as e: err = e.read().decode()
Confidence: 92% confidence
Finding: with urllib.request.urlopen(req, timeout=15) as resp:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises commands that read environment variables, access credential files, invoke shell commands, and communicate with a remote service, yet it declares no permissions or capability boundaries. This creates a transparency and consent problem: an agent or user may invoke the skill without understanding that it can access local secrets and transmit data off-host.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented behavior goes beyond identity verification and secure messaging into agent enumeration, trust-network mapping, public badge generation, and apparently a plaintext reply path. That mismatch is dangerous because users may trust the skill for narrowly scoped security tasks while it also enables broader data collection, metadata exposure, and potentially insecure message transmission.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The API reference exposes admin-style registration listing and detail endpoints without documenting any authentication, authorization, or restrictive access controls. In an identity and trust service, bulk access to registrations, linked platforms, and vouch relationships can enable user enumeration, privacy leakage, social-graph mapping, and targeting of trusted identities.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The list command exposes registry-wide enumeration through an admin-style endpoint, which goes beyond a narrowly scoped self-identity/trust tool. In agent settings, bulk discovery of DIDs, usernames, and platform bindings can facilitate scraping, profiling, and follow-on targeting of other agents or users.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The trust-graph command builds a global graph by first querying admin registrations and then iterating over many agents' vouch data. This materially expands the tool from per-agent trust operations to bulk intelligence gathering, which can reveal network relationships and social trust structures that are sensitive in many deployments.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill promotes encrypted messaging and use of a remote identity service without an explicit warning that metadata, identifiers, registration details, and possibly message-related fields may still be transmitted to a third-party server. Users may incorrectly assume that 'encrypted' means nothing sensitive leaves the system, leading to unsafe use with confidential data.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The tool writes a JSON credentials file containing the private key to disk in the working directory without setting restrictive file permissions or giving a pre-write disclosure about local secret storage. On multi-user systems, shared workspaces, or agent sandboxes that sync artifacts, this can expose long-lived signing credentials and enable account takeover of the DID.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Key rotation overwrites the credentials file with fresh private key material, again without explicit handling for secure permissions or prior user disclosure. If the file is readable by other users/processes or is picked up by backups/sync, the new key can be stolen immediately after rotation, defeating the security benefit.

Credential Access

High

Category: Privilege Escalation
Content: ## Credentials Stored as JSON in `aip_credentials.json`: `{ "did", "public_key", "private_key", "platform", "username" }`. **Never share `private_key`.** DID and public_key are safe to share. Set `AIP_CREDENTIALS_PATH` env var to use a custom credential file location instead of the default search path.
Confidence: 91% confidence
Finding: credentials.json

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal