OpenAPI to CLI

Security checks across malware telemetry and agentic risk

Overview

This is a coherent OpenAPI-to-CLI helper with expected API credential and network-use risks that users should handle carefully.

Before installing, treat generated CLIs as real API clients. Prefer environment variables or a secret manager over passing keys as flags, inspect generated commands before running them, use staging or test APIs when possible, and get explicit confirmation before mutating production resources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill shows passing an API key directly on the command line (`--api-key "sk-..."`), which can expose credentials via shell history, process listings, terminal logs, or agent telemetry. In an agent-oriented skill, this is more dangerous because automated systems may record executed commands and persist secrets in logs or traces.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal