Connect Tool Library

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a normal credential setup helper, but users should handle the API token carefully.

Install only if you intend to connect this tool library. Prefer environment variables, secure prompts, or a credential store over pasting tokens into command arguments; rotate the token if it may have been exposed, and remove it from the local config when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to pass API tokens directly as CLI arguments when setting a library, but it does not warn that command-line arguments may be exposed through shell history, process listings, logs, or screenshots. Because this skill is specifically about managing remote tool-library credentials, the omission increases the chance of credential leakage and subsequent unauthorized access to connected tools and services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal