LLM Gateway — Multi-Model AI Completions

Security checks across malware telemetry and agentic risk

Overview

This pay-per-call LLM gateway is coherent, but it sends full prompts to a third-party service in the request URL without enough privacy warning.

Review before installing. Only use this skill for prompts you are comfortable sending to GoCreative and potentially exposing in URL logs. Do not include secrets, credentials, regulated data, confidential documents, or private customer information unless the provider documents acceptable retention and logging practices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill instructs users to send prompts to an external API using HTTP GET with the full prompt embedded in the URL path, but it does not warn that prompts may contain sensitive data and that URLs are commonly logged by clients, proxies, gateways, browser history, and server infrastructure. In the context of an LLM gateway skill, this makes accidental disclosure of confidential user data significantly more likely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal