Cubistic Painter

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Cubistic painting bot runner, but users should avoid sharing its loop logs because they can include the bot API key.

Install only if you intend to run a bot that can publicly paint pixels on the configured Cubistic backend. Verify BACKEND_URL, use a limited bot key, keep loop limits small, and redact terminal or CI logs from run-loop before sharing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script logs `API_KEY` in plaintext at startup via `console.log(... { BACKEND_URL, bot: API_KEY, COLOR_INDEX })`, which can expose the credential to terminal history, CI logs, process supervisors, or centralized log collectors. Because this key is used as the bot identity / `X-Api-Key`, anyone with log access may be able to impersonate the bot and consume quota or perform unauthorized actions through the Cubistic API.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal