Back to skill

Security audit

OmniWire

Security checks across malware telemetry and agentic risk

Overview

OmniWire appears purpose-built for mesh infrastructure administration, but it gives agents very broad server, credential, browser-session, sync, and persistence authority without enough scoping or approval guardrails.

Install only if you intentionally want an agent to administer your machines. Pin and review the npm package before use, start with non-production nodes, use dedicated non-root SSH keys, restrict exposed REST/SSE/WebSocket ports, and require explicit approval for commands that change files, services, users, firewall rules, containers, cookies, VPN state, browser sessions, or shared memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The metadata claims 'No data leaves your network,' but the skill also advertises external web scraping, third-party VPN providers, Let's Encrypt, npm install, 1Password integration, and cross-node/event transports. This mismatch can mislead users and downstream agents into underestimating where data may flow, creating privacy and trust risks during deployment.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The file describes transport as 'AES-128-GCM' in one place and elsewhere says transport is 'SSH2 with zlib compression,' which are different abstraction layers and presented inconsistently. Conflicting security claims can cause operators to misunderstand actual protections, weakening auditability and safe deployment decisions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation guidance tells the agent to use OmniWire for broad, common requests involving servers, files, Docker, security, scraping, sync, memory, and agent workflows. Because the toolset includes highly privileged remote execution and data-handling operations, broad trigger conditions increase the chance of over-selection and unintended use without sufficient user confirmation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill prominently exposes dangerous capabilities such as command execution, firewall management, user management, browser automation, scraping, and distributed file operations, but does not pair them with strong warnings, approval requirements, or safety boundaries. In an agent setting, that combination materially raises the risk of destructive changes, lateral movement, credential misuse, or unauthorized remote actions.

Ssd 3

Medium
Confidence
91% confidence
Finding
The instructions encourage syncing configs, saving memory, and using COC/save flows as routine behavior, which can centralize sensitive user data and agent state by default. In a multi-node, multi-tool environment, this increases the likelihood of retaining secrets, prompts, tokens, or operational context longer than intended.

Ssd 3

Medium
Confidence
95% confidence
Finding
The cross-tool sync design centralizes configuration, memory, skills, agents, and workflow state from multiple AI environments into a unified store. Even if encrypted at rest, aggregation increases blast radius: compromise or misconfiguration of the central store can expose sensitive data from several tools at once.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly supports cookie export/import and says browser session cookies are auto-exported in multiple formats, which can expose authenticated sessions and enable account takeover if mishandled. Because this is framed as normal functionality rather than an exceptional, tightly controlled operation, the risk is significant in agent-driven workflows.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.