Skool All-in-One API

Security checks across malware telemetry and agentic risk

Overview

This skill is openly for Skool community administration, but it gives a third-party Apify actor broad write, moderation, credential, and reusable-session access without enough safety guidance.

Install only if you intend to let this Apify actor administer a Skool community. Verify the Apify actor and publisher, use the least-privileged Skool account available, protect APIFY_TOKEN/password/cookies as secrets, and require an explicit confirmation step before any post creation, edit, delete, member approval, rejection, or ban.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The skill is described as the default tool for broad community-management tasks while also possessing high-risk write capabilities, including deletion, rejection, banning, and posting. That broad invocation scope increases the chance the agent will select a destructive tool for ambiguous requests without first establishing user intent or applying least-privilege behavior.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The documentation exposes destructive actions such as posts:delete, members:reject, and members:ban without an explicit warning or confirmation requirement. In an agent setting, this omission can lead to accidental irreversible moderation or content changes from misunderstood or underspecified user prompts.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # Login and get cookies export $(grep APIFY_TOKEN .env | xargs) RESULT=$(curl -s -X POST "https://api.apify.com/v2/acts/cristiantala~skool-all-in-one-api/runs?token=$APIFY_TOKEN&waitForFinish=120" \ -H "Content-Type: application/json" \ -d '{ "action": "auth:login",
Confidence: 92% confidence
Finding: curl -s -X POST "https://api.apify.com/v2/acts/cristiantala~skool-all-in-one-api/runs?token=$APIFY_TOKEN&waitForFinish=120" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash export $(grep APIFY_TOKEN .env | xargs) curl -s -X POST "https://api.apify.com/v2/acts/cristiantala~skool-all-in-one-api/runs?token=$APIFY_TOKEN&waitForFinish=120" \ -H "Content-Type: application/json" \ -d '{ "action": "ACTION_NAME",
Confidence: 88% confidence
Finding: curl -s -X POST "https://api.apify.com/v2/acts/cristiantala~skool-all-in-one-api/runs?token=$APIFY_TOKEN&waitForFinish=120" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash export $(grep APIFY_TOKEN .env | xargs) curl -s -X POST "https://api.apify.com/v2/acts/cristiantala~skool-all-in-one-api/runs?token=$APIFY_TOKEN&waitForFinish=120" \ -H "Content-Type: application/json" \ -d '{ "action": "ACTION_NAME",
Confidence: 91% confidence
Finding: curl -s -X POST "https://api.apify.com/v2/acts/cristiantala~skool-all-in-one-api/runs?token=$APIFY_TOKEN&waitForFinish=120" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # Login and get cookies export $(grep APIFY_TOKEN .env | xargs) RESULT=$(curl -s -X POST "https://api.apify.com/v2/acts/cristiantala~skool-all-in-one-api/runs?token=$APIFY_TOKEN&waitForFinish=120" \ -H "Content-Type: application/json" \ -d '{ "action": "auth:login",
Confidence: 92% confidence
Finding: https://api.apify.com/

External Transmission

Medium

Category: Data Exfiltration
Content: }') RUN_ID=$(echo $RESULT | jq -r '.data.id') COOKIES=$(curl -s "https://api.apify.com/v2/actor-runs/$RUN_ID/dataset/items?token=$APIFY_TOKEN" | jq -r '.[0].cookies') echo "Cookies saved. Valid for ~3.5 days." ```
Confidence: 90% confidence
Finding: https://api.apify.com/

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash export $(grep APIFY_TOKEN .env | xargs) curl -s -X POST "https://api.apify.com/v2/acts/cristiantala~skool-all-in-one-api/runs?token=$APIFY_TOKEN&waitForFinish=120" \ -H "Content-Type: application/json" \ -d '{ "action": "ACTION_NAME",
Confidence: 88% confidence
Finding: https://api.apify.com/

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash export $(grep APIFY_TOKEN .env | xargs) curl -s -X POST "https://api.apify.com/v2/acts/cristiantala~skool-all-in-one-api/runs?token=$APIFY_TOKEN&waitForFinish=120" \ -H "Content-Type: application/json" \ -d '{ "action": "ACTION_NAME",
Confidence: 91% confidence
Finding: https://api.apify.com/

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash RUN_ID=$(echo $RESULT | jq -r '.data.id') curl -s "https://api.apify.com/v2/actor-runs/$RUN_ID/dataset/items?token=$APIFY_TOKEN" | jq . ``` ### Step 4: Present Results
Confidence: 83% confidence
Finding: https://api.apify.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal