Search For Service

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent x402 marketplace search helper, but its endpoint inspection can automatically send unsafe HTTP methods to arbitrary URLs.

Install only if you are comfortable with the agent contacting external x402 marketplace services and running an unpinned npm CLI. Use endpoint inspection only on trusted x402 URLs, because the documented probing may send POST, PUT, DELETE, or PATCH requests while checking payment requirements.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill description explicitly says it should be used as a fallback when no other skill clearly matches, which makes routing overly broad and increases the chance the agent invokes an external-service discovery workflow for generic or ambiguous requests. In a marketplace-search skill, this can steer users toward unnecessary third-party paid APIs, expand exposure to untrusted external services, and weaken least-privilege skill selection.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal