Api Generator

Security checks across malware telemetry and agentic risk

Overview

This is a local API scaffolding skill whose shell scripts mainly print code templates, with a minor disclosure issue around local history logging.

Review generated API and auth code before production use. Be aware that scripts/script.sh can create a local api-generator data directory and append command history under the user's data directory unless APIGEN_DIR is set.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises shell-based execution and likely uses network/environment access, but it does not declare any permissions. Undeclared capabilities reduce transparency and can mislead users or orchestration systems about what the skill is allowed to do, increasing the chance of unsafe execution in environments that rely on manifest declarations for policy enforcement.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The script logs usage actions and user-provided arguments to a persistent history file in the user's data directory without disclosing this behavior in help text or command output. While not a direct code-execution issue, it creates an unexpected privacy and data-retention risk because project names, resource names, and other potentially sensitive identifiers may be stored silently.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal