Back to skill

Security audit

OpenAPI to CLI

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent OpenAPI-to-CLI helper with normal API credential and network-use risks that users should handle carefully.

Before installing or using this skill, treat generated CLIs as real API clients. Prefer environment variables or a secret manager over command-line credential flags, inspect generated commands and OpenAPI specs before execution, use dry-run or staging endpoints when possible, and avoid production tokens unless the action is intentional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages generating and using CLIs that make real API calls with authentication, but it does not warn users that the generated tools can send authenticated network requests or that passing secrets on the command line may expose them through shell history, process listings, logs, or agent traces. In an AI-agent context, this omission is more dangerous because agents may automatically execute suggested commands and handle credentials non-interactively, increasing the chance of unintended requests or secret leakage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.