WhatPeoplePayFor

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward market-data API skill that sends questions to whatpeoplepayfor.com and can save analyses there, which matches its disclosed purpose.

Install only if you trust whatpeoplepayfor.com with your market-analysis questions and API usage. Protect WPP_API_KEY like a password, and avoid using saveFocus or saved Focuses for secrets, customer data, or confidential strategy unless you are comfortable storing that content with the provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to send natural-language questions and structured query data to a third-party API using an authenticated bearer token, but it does not clearly warn that prompts, business questions, and potentially sensitive analysis inputs leave the local environment. This can lead users or downstream agents to transmit confidential market research, client data, or internal strategy information to the remote service without informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal