Metered API Marketplace

Security checks across malware telemetry and agentic risk

Overview

The skill fits its monetized API purpose, but it needs review because its payment webhook path can mutate balances and one demo webhook secret defaults to an unsafe empty value if deployed as-is.

Review before installing or deploying. Set strong webhook secrets for every provider, fail closed when any secret is missing, restrict admin endpoints, protect the Postgres database, and document what usage and payment metadata is stored and retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: This skill is explicitly designed to log per-request usage, manage prepaid balances, and receive payment webhooks, yet the description does not clearly warn users that request data, billing events, and payment-related metadata may be stored and processed. In a monetized API context, that omission can mislead deployers and end users about financial side effects and data handling, increasing the risk of accidental exposure of sensitive request contents, unexpected charges, and weak consent/compliance posture.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal