Strawpoll Cli

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward StrawPoll command-line helper, with expected account access for creating and managing polls.

Install this if you trust the upstream strawpoll CLI source. Protect the StrawPoll API key and any keyring password, prefer a keyring or secret manager over shared environment files, and ask the agent to confirm poll IDs before update, delete, reset, or any command using --force.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The environment variable section lists `STRAWPOLL_API_KEY` and `STRAWPOLL_KEYRING_PASSWORD` without warning that these are sensitive secrets. In agentic or scripted environments, this omission can encourage insecure handling such as storing credentials in shell history, logs, CI output, or shared environment files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal