Webhook Receiver

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but its sample webhook setup can expose sensitive callback data and logs full request contents without safety guidance.

Install only if you are comfortable exposing a local HTTP handler to the internet. Do not use the sample as-is for real OAuth, payment, or account webhooks; add signature verification, random paths, request size limits, and redaction for Authorization, cookies, tokens, signatures, and personal data before logging or storing payloads.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This skill directs the user to expose a local HTTP endpoint to the public internet and recommends logging full request headers and bodies for debugging. Webhooks and OAuth callbacks commonly contain secrets, bearer tokens, signatures, session parameters, PII, or payment-related data, so indiscriminate logging can leak sensitive information to console history, log files, or downstream log collectors. The lack of guidance on authentication, signature verification, redaction, or minimizing exposure makes the pattern a real security issue in context.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal