infini-api

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, with the main caution that its webhook testing steps may send sandbox callback data to a third-party receiver.

Before installing or using it, treat webhook.cool as a third-party debugging tool: use it only with sandbox or dummy data, avoid production callbacks, and do not send secrets, customer data, or real transaction details through the test receiver.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This markdown file instructs users to send sandbox webhook callbacks to `webhook.cool`, which will expose event bodies and headers to an external service. Although the steps describe how to use the service, they do not warn users that callback payloads may contain transaction or system metadata and should be limited to non-sensitive sandbox data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal