Back to skill

Security audit

Agent Org Manager

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed multi-agent governance guide, but one ready-to-deploy monthly cron template can automatically publish skills and create GitHub releases without clear approval controls.

Review before installing if you do not want an agent to manage SkillHub publishing or GitHub releases. The governance templates are mostly coherent, but do not deploy the monthly maintenance cron unless repository credentials, branch protections, dry-run behavior, rollback steps, and explicit human approval are in place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The monthly maintenance template instructs an agent to republish skills and perform GitHub commit, tag, push, and release operations automatically. This grants a broad software supply-chain capability that exceeds routine agent-organization coordination and could modify or distribute code/content if triggered with insufficient review or compromised inputs.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The specific instruction to sync to GitHub with commit, tag, push, and release creates direct repository and release-management authority inside a management-oriented skill. If the agent follows stale, poisoned, or unintended local changes, it can publish unauthorized updates and create a supply-chain risk beyond the skill's stated purpose.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes very broad phrases such as "agent团队", "Agent管理", and "AI组织", which can match many ordinary conversations about AI teamwork rather than a clear request for this specific skill. That creates unintended activation risk: the skill may inject its organizational instructions into unrelated contexts, influencing agent behavior when the user did not explicitly ask for it.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The template directs automated file writes and external publishing but does not warn operators that it can alter local state and push artifacts to remote systems. Lack of explicit impact disclosure increases the chance of accidental deployment or misuse, especially in a reusable 'copy and deploy' template.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.