Back to skill

Security audit

Apimon

Security checks across malware telemetry and agentic risk

Overview

APIMon is a local API-note logging tool with overstated monitoring wording, but it does not show hidden access, exfiltration, destructive behavior, or privilege use.

Install only if you want a local logbook for API-related notes, not an automatic uptime monitor. Do not enter tokens, Authorization headers, cookies, private payloads, customer data, or sensitive internal endpoints because entries are saved under ~/.local/share/apimon and can be searched or exported.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill’s declared purpose is API monitoring and uptime validation, but the documented behavior is a generic text-logging system that stores arbitrary user input and supports unrelated commands. This mismatch is dangerous because users may trust it with operational or sensitive API data under the assumption it performs monitoring, while it actually accumulates persistent local records that can expose secrets and mislead users about what the tool truly does.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest markets the skill as monitoring endpoints and response times, but the content describes only local logging of arbitrary text. This deceptive interface can cause operators to rely on nonexistent health-check behavior and to input sensitive API details that are then stored verbatim, creating both security and operational risk.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The examples imply real checks, validation, and monitoring, but the documented implementation only records the supplied strings. This can lead users to paste real endpoints, schemas, error details, or operational context into logs, believing the tool is analyzing them, when it is merely persisting them for later retrieval and export.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implemented interface and help text materially diverge from the declared API monitoring purpose, exposing users to capabilities they would not reasonably expect from this skill. In an agent setting, deceptive scope increases the risk that the tool is invoked with sensitive operational data under false assumptions, enabling unintended collection and persistence of that data.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The core commands do not perform monitoring or validation; they simply persist arbitrary user-supplied strings into local logs. This is dangerous because users or calling agents may pass URLs, tokens, schemas, headers, or incident data expecting analysis, but the tool instead stores that content on disk, creating an unnecessary data-retention and confidentiality risk.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The presence of broad generic devtools-style commands is not justified by the skill's stated purpose and expands the operational scope beyond what a user would expect. Excess capability in a mislabeled skill increases attack surface and the chance of misuse, especially when an agent may route arbitrary content into these commands.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The inline branding and help text identify the program as a generic devtools toolkit, contradicting the manifest's API monitoring description. This inconsistency is dangerous in agent ecosystems because trust and authorization decisions may be based on metadata, while the actual tool advertises and behaves differently.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill persistently logs all command inputs without a prominent upfront warning, despite being positioned for API work where inputs may include URLs, headers, tokens, schema details, or incident notes. Silent persistence increases the chance that users disclose sensitive material that remains on disk and searchable.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
User-provided input is written directly to persistent local log files without any warning about retention, sensitivity, or storage location. In the context of an API-monitoring skill, users may reasonably provide endpoints, auth material, payloads, or internal diagnostics, so silent persistence can expose confidential data to later local access or accidental disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The export feature aggregates all historical logs and materializes them into new files without clear user warning that previously stored content will be recopied and broadened in exposure. This can amplify the impact of earlier silent logging by making sensitive historical data easier to access, share, or mishandle.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill instructs persistence and export of all user-provided inputs, which creates a local data-hoarding mechanism for API-related text that may include sensitive operational information. Export functionality further increases exposure by making bulk extraction easy if the host is shared, compromised, or backed up insecurely.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instructions explicitly state that command arguments are saved verbatim and centrally tracked across commands, enabling correlation of a user’s activity and potentially sensitive API work. Centralized history increases the blast radius because one file can reveal a broad timeline of endpoints, incidents, and workflows.

Ssd 3

Medium
Confidence
95% confidence
Finding
The data storage section describes a searchable persistent archive plus export of collected inputs, which materially increases discoverability and exfiltration risk for anything users enter. In an API context, even seemingly harmless logs can contain internal endpoints, failure details, business identifiers, or authentication-related hints.

Ssd 3

Medium
Confidence
93% confidence
Finding
The examples encourage recording request templates, auth headers, and endpoint details that users may copy directly from live API workflows. Because the skill stores inputs verbatim, these examples normalize logging potentially sensitive material and increase the likelihood of credential or internal system exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.