Remote Api

Security checks across malware telemetry and agentic risk

Overview

This skill is a local-app sharing tool that clearly warns users before making a localhost service publicly reachable.

Install only if you intend to share a local app publicly. Before using it, make sure the app is bound to loopback, has no debug/admin/code-execution routes exposed, and does not grant access to local files, shells, databases, or environment credentials. Prefer one-off foreground mode unless you want a persistent service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to expose a locally running API to the public internet and then share the resulting public URL, but it does not provide a prominent warning about the privacy, authentication, data exposure, and attack-surface implications of doing so. This is dangerous because developers may tunnel development services that lack authentication, rate limiting, or hardened configuration, making internal or sensitive endpoints reachable by anyone with the URL.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal