Aicoo Onboarding

Security checks across malware telemetry and agentic risk

Overview

This Aicoo onboarding skill is not clearly malicious, but it bundles broad local data scanning, cloud upload, social actions, share links, and public posting into a first-time setup flow.

Install only if you are comfortable manually supervising every step. Before using it, limit which files can be scanned, review all upload payloads, avoid secrets and confidential repositories, do not persist API keys in shell startup files unless you accept that risk, and confirm every connection, share-link scope, notes permission, expiration, and public post before execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (20)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill labeled as onboarding goes well beyond setup by driving users into discovery, networking, public sharing, and posting flows. That scope expansion is dangerous because it can cause users to trigger outbound social actions and public exposure when they expected only initialization help.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to perform connection and outreach actions to other users as part of onboarding, including instant connect and friend-request flows. Social actions affecting third parties should not happen implicitly during setup because they can create unwanted external interactions and reputational consequences for the user.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: This onboarding flow creates a public-facing share link and then uses it to publish an open, discoverable post. Combining setup with public exposure is risky because users may unknowingly make their agent and workspace reachable before understanding the privacy and visibility implications.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The onboarding example goes beyond basic first-time setup by creating an external investor share link, which materially expands data exposure. In a first-run workflow, encouraging external sharing increases the chance a user exposes internal notes or folders before understanding scopes, permissions, or retention implications.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Directing the agent to scan local files during onboarding exceeds the stated purpose and can collect sensitive data unrelated to initial setup. Because this occurs in a trust-building first-time flow, users may consent without understanding that private local content could be ingested or transmitted.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list is overly broad, including generic phrases such as 'init', 'initialize', 'register', and 'API key'. That increases the chance of accidental invocation, which is particularly dangerous here because the skill performs sensitive local scanning, syncing, and potentially public-facing actions.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill directs scanning of local files, docs, git history, and memory files and then syncing content to a remote service, but it does not provide an explicit privacy warning or obtain informed consent first. This is dangerous because users may expose sensitive source code, internal notes, secrets, or personal information without understanding the scope of collection.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The connect/request actions are presented as routine onboarding steps without explicit warning or confirmation guidance. That omission is risky because it can trigger external communications or relationship changes on the user's behalf without deliberate consent.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The share-link and Square-post steps create broad discoverability and external access but do not give a clear upfront warning about exposure and persistence. Users may not realize they are making their agent reachable and publishing themselves publicly as part of onboarding.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The example instructs users to export a live API key directly in the shell, which can leave secrets in shell history, process logs, screenshots, or shared terminal sessions. The absence of a warning or safer alternative creates unnecessary credential exposure risk during onboarding.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The workflow instructs users to scan local files and bulk-upload project documents without a clear privacy notice or data-sharing consent checkpoint. This can lead to accidental transmission of confidential business, technical, or personal information to an external service under the guise of simple setup.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The share-link workflow lacks a strong warning to verify the exact folders and note permissions being exposed before generating an investor-facing URL. Users may assume the defaults are safe and unintentionally share more information than intended, especially in an onboarding context where trust is high and familiarity is low.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill directs broad collection of local context including project files, docs, git history, and memory files, without clear minimization or exclusion rules. This is dangerous because these sources commonly contain proprietary code, credentials, personal notes, or other sensitive material unrelated to onboarding.

Ssd 3

High

Confidence: 97% confidence
Finding: The skill instructs uploading synthesized identity and workspace content derived from local context to a remote service. Even synthesized summaries can leak sensitive operational details, personal profile data, or internal architecture information if sent without review and consent.

Ssd 3

High

Confidence: 99% confidence
Finding: The share configuration uses broad scopes such as 'scope: all' and 'notesAccess: read', then frames the result as a public agent link. That can expose large portions of the user's workspace and notes to external parties, making this the most severe issue in the file.

Ssd 4

High

Confidence: 95% confidence
Finding: The four-step narrative gradually normalizes scanning local data, syncing it, creating external reachability, and publishing publicly as a seamless onboarding loop. This context makes the behavior more dangerous because each step reduces user skepticism and encourages escalating disclosure without clear pause points or consent gates.

External Transmission

Medium

Category: Data Exfiltration
Content: ### Step 5: Create first note (OS endpoint) ```bash curl -s -X POST "https://www.aicoo.io/api/v1/os/notes" \ -H "Authorization: Bearer $AICOO_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 89% confidence
Finding: curl -s -X POST "https://www.aicoo.io/api/v1/os/notes" \ -H "Authorization: Bearer $AICOO_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: ### Step 6: Bulk sync project docs ```bash curl -s -X POST "https://www.aicoo.io/api/v1/accumulate" \ -H "Authorization: Bearer $AICOO_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 94% confidence
Finding: curl -s -X POST "https://www.aicoo.io/api/v1/accumulate" \ -H "Authorization: Bearer $AICOO_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: ### Step 7: Create investor share link ```bash curl -s -X POST "https://www.aicoo.io/api/v1/os/share" \ -H "Authorization: Bearer ${AICOO_API_KEY:-$PULSE_API_KEY}" \ -H "Content-Type: application/json" \ -d '{
Confidence: 91% confidence
Finding: curl -s -X POST "https://www.aicoo.io/api/v1/os/share" \ -H "Authorization: Bearer ${AICOO_API_KEY:-$PULSE_API_KEY}" \ -H "Content-Type: application/json" \ -d

Context Leakage

High

Category: Data Exfiltration
Content: -H "Authorization: Bearer $AICOO_API_KEY" | jq . ``` ### Step 4: Explore and collect context Ask startup basics (product, team, traction, boundaries), then scan local files.
Confidence: 98% confidence
Finding: collect context

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal