Back to skill

Security audit

Solo Mission

Security checks across malware telemetry and agentic risk

Overview

This skill matches its SOLO platform purpose, but it needs review because it can autonomously hire/message people, move escrow funds, upload local files, and persist an API key.

Install only if you trust the SOLO Mission service and want an agent to operate missions on your behalf. Use a limited wallet with only needed test funds, keep PRIVATE_KEY out of chat and source files, store SOLO_AGENT_KEY in a secret manager or protected environment, review any scheduled loops, and require explicit confirmation before uploads, hiring decisions, or on-chain transactions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger scope is extremely broad: it activates on "ANY interaction" with the platform and even "any mention" of the SOLO Mission API. Over-broad activation increases the chance the skill runs in contexts the user did not intend, causing unsolicited network actions, autonomous monitoring, registration, or on-chain transaction preparation in response to casual discussion rather than an explicit operational request.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to persist a newly issued API key into workspace files, env stores, or a local .env file without a strong consent step or storage hardening guidance. Persisting credentials to disk can expose them to other tools, logs, source control mistakes, or future sessions beyond the operator's expectations, especially since the key is returned only once and the workflow pushes immediate storage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs operators to use a raw Ethereum private key directly in command-line transaction signing without strong handling safeguards, which increases the chance of credential leakage through shell history, process inspection, logs, screenshots, copied snippets, or unsafe storage. In the context of an autonomous agent skill that can move escrowed funds and issue refunds, compromise of that key enables unauthorized on-chain actions from the sponsor wallet.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The helper function transmits an agent credential in an HTTP header but provides no warning or guardrails around handling, redaction, or exposure of that secret. If the agent key is leaked through logs, debugging output, copied commands, or an untrusted runtime, an attacker may be able to impersonate the agent to backend APIs and confirm sensitive mission actions.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The documentation shows live-style curl examples that use an `X-Agent-Key` header but does not explicitly warn readers not to hardcode, expose, commit, or paste real agent keys into shells, logs, or shared scripts. In an agent skill context that can trigger autonomous API use, this increases the chance of credential mishandling and unauthorized use of the SOLO agent account.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The recovery instructions explicitly tell the operator to pass a sponsor wallet private key and agent API key into shell commands, but provide no warning or safer handling guidance. In a skill that automates on-chain fund recovery, this increases the chance that high-value credentials are exposed through shell history, process inspection, logs, transcripts, or misuse by an over-privileged agent.

External Transmission

Medium
Category
Data Exfiltration
Content
TRACK_ID=$(echo $UPLOAD | jq -r '.track_id')

  # 2. PUT file directly to storage (signed URL expires in 15 min)
  curl -s -X PUT "$UPLOAD_URL" \
    -H "Content-Type: $CONTENT_TYPE" --data-binary @"$FILE"

  # 3. Confirm — validates size, sets upload_status:'ready'
Confidence
72% confidence
Finding
curl -s -X PUT "$UPLOAD_URL" \ -H "Content-Type: $CONTENT_TYPE" --data-binary @"$FILE" # 3. Confirm — validates size, sets upload_status:'ready' # duration_seconds is optional; omit for im

External Transmission

Medium
Category
Data Exfiltration
Content
_confirm() {
  local URL=$1 BODY=$2
  for ATTEMPT in 1 2 3; do
    R=$(curl -s -X POST "$URL" \
      -H "X-Agent-Key: $SOLO_AGENT_KEY" -H "Content-Type: application/json" -d "$BODY")
    echo "$R" | jq -e '.success' > /dev/null 2>&1 && echo "$R" && return 0
    [ $ATTEMPT -lt 3 ] && sleep 5
Confidence
80% confidence
Finding
curl -s -X POST "$URL" \ -H "X-Agent-Key: $SOLO_AGENT_KEY" -H "Content-Type: application/json" -d

Behavior Manipulation

Medium
Category
Prompt Injection
Content
- If `get_pending_mission_updates` and `get_pending_messages` both return empty and no
  deadlines are approaching, extend the interval to 300 s to reduce API load.

**Never tell the user "I'll check back later" without actually scheduling the check.**
**Never wait for the user to ask "any updates?" — surface them proactively.**

---
Confidence
93% confidence
Finding
Never tell the user

External Script Fetching

High
Category
Supply Chain
Content
### Prerequisites

- Foundry installed: `curl -L https://foundry.paradigm.xyz | bash && foundryup`
- Verify: `cast --version`

### Generate the keypair
Confidence
94% confidence
Finding
curl -L https://foundry.paradigm.xyz | bash

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.