Back to skill

Security audit

Aport Status

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only APort status skill that does what it claims, but users should understand it contacts APort and may expose agent identity/status metadata.

Install this only if you intend to use APort for agent identity/status checks. Treat the agent ID, passport URL, capabilities, owner details, and recent decisions as potentially private, avoid sharing full output in public logs or transcripts, and review any optional external setup command before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs the agent to send its agent identifier and fetch passport/decision records from third-party APort endpoints, but it does not warn that this discloses identity, capability, and recent activity metadata to an external service. In agent environments, even seemingly routine metadata can be sensitive, and the skill encourages automatic network access without explicit user consent, data minimization, or privacy guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.