Back to skill

Security audit

Indexnow Pro

Security checks across malware telemetry and agentic risk

Overview

This looks like an SEO documentation helper, but some copyable examples handle credentials and tokens unsafely and the command names overstate what the script actually does.

Review before installing or using as-is. Treat this as documentation, not an automation tool: it mainly prints examples. Do not paste real passwords into the shown curl commands; use scoped application tokens or environment variables. Verify secure HTTPS endpoints before using token-based submission examples, especially the Baidu snippet.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
77% confidence
Finding
The skill advertises operational capabilities that inherently require network access and likely shell/code execution via curl or Node.js, but it does not declare any permissions or safety constraints. This creates a transparency and governance gap: an agent may invoke outbound requests or local commands without the user or platform having an explicit permission model to review or enforce, which can lead to unintended external communication or command execution.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script includes an example that uses Basic Auth credentials inline in a curl command for the WordPress REST API. Users may paste real credentials into shell history, logs, process listings, or shared terminals, leading to credential exposure even though the skill itself only prints the example.

External Transmission

Medium
Category
Data Exfiltration
Content
### WordPress
```bash
# Via WP REST API
curl -X POST "https://yoursite.com/wp-json/wp/v2/pages" \
  -u "user:password" \
  -d "title=${KEY}&content=${KEY}&slug=${KEY}&status=publish"
```
Confidence
83% confidence
Finding
curl -X POST "https://yoursite.com/wp-json/wp/v2/pages" \ -u "user:password" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Baidu Alternative
```bash
# Baidu push API
curl -X POST "http://data.zz.baidu.com/urls?site=yoursite.com&token=YOUR_TOKEN" \
  -H "Content-Type: text/plain" \
  -d "https://yoursite.com/page1
https://yoursite.com/page2"
Confidence
78% confidence
Finding
http://data.zz.baidu.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.