API Health Check

Security checks across malware telemetry and agentic risk

Overview

The skill performs the advertised public API health checks, but users should treat results cautiously because its script disables normal TLS verification.

Install only if you are comfortable with it contacting the listed AI service domains. Treat its output as advisory until TLS verification is restored, because a network attacker or proxy could spoof health results.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill explicitly describes making HTTP requests to multiple external services, which is a network capability, yet no permissions are declared. This creates a transparency and policy-enforcement gap: users or the platform may not realize the skill can initiate outbound connections, and permission controls cannot be applied consistently.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The code explicitly disables TLS certificate validation and hostname verification before making HTTPS requests. This allows a man-in-the-middle attacker to intercept or spoof responses from the API endpoints, causing the tool to report false health results and potentially expose future request metadata sent over the same insecure pattern.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal