Craftsman Agent Build Plans

Security checks across malware telemetry and agentic risk

Overview

This skill is mainly a disclosed external build-plan API wrapper, but it automatically sends prompts and image URLs to a remote service and can use a bundled demo API key when the user has not supplied credentials.

Install only if you intend to use the external Craftsman/OneKey service. Do not submit private prompts, proprietary designs, or private image URLs unless you trust that provider. Prefer using your own scoped API key, review billing and privacy terms, and avoid relying on the bundled demo key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The documentation instructs the agent to automatically use a built-in demo API key when the user has not provided credentials. Hardcoded or shared fallback credentials create unauthorized third-party service access, obscure accountability, and can normalize sending user prompts to an external service without explicit consent.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script embeds a hard-coded fallback credential (`BETA_TEST_KEY_MARCH_2026`) and automatically uses it when the user has not configured their own API key. This causes requests to be authenticated with third-party credentials without explicit user approval, which can enable unauthorized service use, credential abuse, quota exhaustion, and operational dependence on a secret shipped in code.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The script contains a hard-coded fallback credential and will automatically use it when the real API key is absent. Embedding usable credentials in distributed code is dangerous because anyone with the skill can extract and abuse the key, and the fallback also masks configuration failures by still sending requests to the remote service.

Intent-Code Divergence

Low

Confidence: 96% confidence
Finding: The code tells the user the API is not free, but then silently proceeds with a built-in demo key after a delay. This misleading behavior reduces informed consent and can conceal that the tool is still making authenticated remote requests, which is especially problematic in an agent skill that may be run automatically.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill tells users to proceed with a shared demo key but does not clearly warn that prompts and related data will be transmitted to an external network service under shared credentials. This increases the risk of inadvertent data disclosure, misuse of a common credential, and confusion about who is authorized to access the service.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script sends the user prompt and any supplied reference image URLs to a remote endpoint, but it does not provide a clear user-facing notice at the point of transmission beyond generic CLI behavior. In this skill context, prompts and image references may contain sensitive design data, proprietary content, or personal information, so silent exfiltration to an external service creates a meaningful privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script takes an API key from the environment and appends it to the request URL as a query parameter for a third-party endpoint. Sending secrets to a remote service is expected for API use, but placing the key in the URL is risky because URLs are commonly logged by clients, proxies, monitoring tools, and server infrastructure, increasing accidental secret exposure.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script sends the user-supplied prompt and reference image URLs to a third-party endpoint over the network, but it does not provide a clear, explicit notice at the point of use that this data leaves the local environment. In a build-plan skill, prompts or image URLs may contain private project details, proprietary designs, or internal links, so silent transmission creates a meaningful privacy and data-handling risk.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The API key is placed in the URL query string as the onekey parameter, which is unsafe because URLs are commonly logged by clients, proxies, gateways, browser history, shell history, and server infrastructure. Even over HTTPS, query parameters can still be exposed in observability tooling or error logs, making credential leakage and subsequent unauthorized API use more likely.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This script transmits the user-provided prompt and reference image URLs to a third-party remote endpoint, but only warns about missing API credentials and not about data disclosure. Users may reasonably assume the tool is local or harmless, causing unintended exfiltration of potentially sensitive prompts, internal URLs, or proprietary image references.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal