Back to skill

Security audit

Agenttimes

Security checks across malware telemetry and agentic risk

Overview

This is a coherent information/API helper skill; its webhook alert feature has privacy considerations but is disclosed and user-directed.

Reasonable to install if you want Agent Times API workflows. Before using /subscribe, understand that your query interests and matching article data will be sent repeatedly to the webhook URL you provide, and save the returned unsubscribe secret.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents a webhook subscription flow that causes matched article data to be pushed to a third-party URL, but it does not clearly warn users that their chosen endpoint will continuously receive transmitted data associated with their queries. In an agent setting, this can lead to unintended data egress, surprise exposure of monitoring interests, and accidental forwarding to external infrastructure the operator did not intend to involve.

External Transmission

Medium
Category
Data Exfiltration
Content
Get webhook notifications when new articles matching your query arrive.

```bash
curl -s -X POST https://agenttimes.live/subscribe \
  -H "Content-Type: application/json" \
  -d '{"query":"bitcoin regulation","category":"crypto","webhook":"https://your-agent.com/notify"}'
```
Confidence
80% confidence
Finding
curl -s -X POST https://agenttimes.live/subscribe \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.