AIsa Tavily

Security checks across malware telemetry and agentic risk

Overview

This is a small AIsa web-research skill whose main risk is that searches, URLs, and the AIsa API key are sent to AIsa's hosted API.

Install this only if you trust AIsa/api.aisa.one with the queries and URLs you submit. Use a scoped or rotatable AISA_API_KEY where possible, and avoid sending secrets, private URLs, regulated data, or internal-only research topics unless your organization approves that use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The setup notes that an API key is required for AIsa-backed access, but it does not clearly disclose that user queries and possibly attached context will be transmitted to an external third-party service. This can lead to inadvertent sharing of sensitive prompts, proprietary research topics, or internal data under the mistaken assumption that processing is local.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal