Tutorial Docs

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-writing skill with a weak API-key example, but it does not execute code, collect secrets, or add hidden behavior.

Safe to install as a tutorial-writing reference. Before copying its weather API example into real docs, revise the API-key step to use environment variables or an untracked secrets file, and keep the warning not to commit or share keys.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The tutorial explicitly instructs beginners to paste a live API key directly into source code, which normalizes insecure secret handling and increases the chance the key will be committed to version control, shared in screenshots, or copied into unsafe examples. Although the file includes a general warning not to share the key, it does not demonstrate or recommend safer storage such as environment variables or a local secrets file, making this a real security weakness in a learning-oriented document.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal