API接口测试

Security checks across malware telemetry and agentic risk

Overview

This API testing skill is coherent and purpose-aligned, with ordinary cautions around sending requests and saving local request history.

Before installing, treat it like any API testing helper: do not put tokens or personal data in URLs unless needed, avoid testing internal systems unintentionally, and periodically delete api_tests.json if request history could reveal sensitive endpoint details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill persistently stores API request history to `api_tests.json` without any explicit user warning, consent flow, retention policy, or redaction. Because URLs often contain query parameters and API tests may involve internal endpoints, this can silently retain sensitive metadata and operational details on disk where other users or processes may access them.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill is explicitly designed to send arbitrary HTTP requests with custom headers and bodies, but it does not warn users that supplied data will be transmitted to remote systems. In practice this can cause accidental exfiltration of API keys, tokens, PII, or internal service information, especially because the skill context encourages testing arbitrary REST and GraphQL endpoints.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal