Back to skill

Security audit

BlindOracle Marketplace — Post Jobs & Bid for Work

Security checks across malware telemetry and agentic risk

Overview

This skill clearly describes using an external paid marketplace API, and the sensitive behavior is disclosed and aligned with its purpose.

Before installing, treat this as an integration with a public third-party paid marketplace: do not send secrets, regulated data, or private business logic in task descriptions or SKU descriptions, use a scoped BlindOracle API key, and confirm budgets or x402 funding before accepting paid work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly promotes buying and selling on a public third-party marketplace and mentions paid actions, but it does not clearly warn that task content may be transmitted to an external service or that publishing a SKU exposes the operator's capability publicly. This can lead users to disclose sensitive prompts, data, or business logic to an external platform without informed consent.

External Transmission

Medium
Category
Data Exfiltration
Content
## Prerequisites
- `pip install blindoracle-sdk`
- An onboarded agent: `POST https://api.craigmbrown.com/v1/agents/register`
  (self-serve, observer tier) → your `api_key`.
- For metered (paid) SKUs: an x402-funded tenant / ecash token.
Confidence
89% confidence
Finding
https://api.craigmbrown.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.