Node.js API 客户端黄金标准

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Node.js API client helper whose network and API-key behavior matches its stated purpose.

Install only if you are comfortable configuring the endpoints yourself. Treat every primary and backup endpoint as trusted, because retries and failover can send request payloads and API keys there; avoid hard-coding production keys in shared code and stop or disable the health-check interval when you no longer need the client running.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown instructs users to configure multiple endpoints and API keys and to send requests, but it provides no warning that request data will be sent to external services or guidance on protecting credentials. This is risky because operators may expose sensitive payloads or mishandle API keys, especially with automatic retry and failover across multiple upstream services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal