Oathe Security Badge

Is novyxlabs/novyx-handoff safe?

https://github.com/novyxlabs/novyx-handoff

75
CAUTION

This skill provides legitimate multi-agent memory sharing functionality but raises significant privacy concerns due to accessing sensitive credential files during installation and transmitting agent context to external servers. While the core functionality appears benign, the data handling behavior warrants caution.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 75/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (4)

HIGH Sensitive Credential Files Accessed -50

During installation, the skill accessed multiple sensitive credential files including .env, SSH keys, AWS credentials, NPM registry credentials, Docker config, and Google Cloud credentials. While these appear to be honeypot files that were not modified or exfiltrated, this behavior is concerning.

MEDIUM External Data Sharing Service -20

The skill communicates with an external service (novyx-ram-api.fly.dev) to share context between agents. This means conversation data and agent context could be transmitted to and stored on external servers not under user control.

MEDIUM Context Data Transmission -10

The skill is designed to transmit agent context and conversation data to external API endpoints for multi-agent coordination, which could represent a data privacy concern.

LOW API Key Dependency -10

The skill requires external API keys (NOVYX_API_KEY) which creates an additional security dependency and potential point of failure or compromise.