Back to skill

Security audit

Capacities

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Capacities API helper; it sends user-chosen notes, links, searches, and space requests to Capacities as expected.

Install only if you intend Codex to help send selected content to your Capacities account. Treat note text, URLs, and search terms as data shared with Capacities, avoid pasting secrets or regulated information unless appropriate, and store the API token carefully.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to send notes, URLs, search terms, and space metadata to an external Capacities API using a bearer token, but it does not disclose this data flow or warn about sensitivity and third-party handling. This can lead users to unknowingly transmit private knowledge-base content and identifiers off-platform, increasing privacy and data handling risk.

External Transmission

Medium
Category
Data Exfiltration
Content
### Daily Notes
To add a thought, task, or note to today's daily note:
`curl -X POST https://api.capacities.io/save-to-daily-note -H "Authorization: Bearer $CAPACITIES_API_TOKEN" -H "Content-Type: application/json" -d '{"spaceId": "$CAPACITIES_SPACE_ID", "mdText": "Your note here"}'`

### Web Links
To save a URL to your space:
Confidence
93% confidence
Finding
curl -X POST https://api.capacities.io/save-to-daily-note -H "Authorization: Bearer $CAPACITIES_API_TOKEN" -H "Content-Type: application/json" -d '{"spaceId": "$CAPACITIES_SPACE_ID", "mdText": "Your n

External Transmission

Medium
Category
Data Exfiltration
Content
### Daily Notes
To add a thought, task, or note to today's daily note:
`curl -X POST https://api.capacities.io/save-to-daily-note -H "Authorization: Bearer $CAPACITIES_API_TOKEN" -H "Content-Type: application/json" -d '{"spaceId": "$CAPACITIES_SPACE_ID", "mdText": "Your note here"}'`

### Web Links
To save a URL to your space:
Confidence
93% confidence
Finding
https://api.capacities.io/

External Transmission

Medium
Category
Data Exfiltration
Content
### Web Links
To save a URL to your space:
`curl -X POST https://api.capacities.io/save-weblink -H "Authorization: Bearer $CAPACITIES_API_TOKEN" -H "Content-Type: application/json" -d '{"spaceId": "$CAPACITIES_SPACE_ID", "url": "https://example.com"}'`

### Search / Lookup
To find an object's ID:
Confidence
92% confidence
Finding
https://api.capacities.io/

External Transmission

Medium
Category
Data Exfiltration
Content
### Search / Lookup
To find an object's ID:
`curl -X POST https://api.capacities.io/lookup -H "Authorization: Bearer $CAPACITIES_API_TOKEN" -H "Content-Type: application/json" -d '{"spaceId": "$CAPACITIES_SPACE_ID", "searchTerm": "My Note"}'`

### Space Info
To get all object types and structures:
Confidence
91% confidence
Finding
https://api.capacities.io/

External Transmission

Medium
Category
Data Exfiltration
Content
### Space Info
To get all object types and structures:
`curl -X GET "https://api.capacities.io/space-info?spaceid=$CAPACITIES_SPACE_ID" -H "Authorization: Bearer $CAPACITIES_API_TOKEN"`
Confidence
88% confidence
Finding
https://api.capacities.io/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.