protocol bridge

Security checks across malware telemetry and agentic risk

Overview

The skill describes a legitimate protocol bridge, but users should secure it carefully because it can route agent messages through a running network service.

Before installing, verify the referenced npm package and repository, avoid exposing the bridge on public interfaces, require authentication, use least-privilege agent credentials, and connect only agents whose data and actions you are comfortable routing through the bridge.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents starting a network-facing bridge server, registering HTTP endpoints, and relaying cross-protocol messages, but it does not warn users that agent messages may be routed through a central service or exposed over the network if deployed insecurely. In an agent-integration context, this omission can lead users to forward sensitive prompts, credentials, or business data without understanding trust boundaries, authentication requirements, or transport protections.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal