Back to skill

Security audit

KONIO Marketplace

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent KONIO marketplace integration, but it gives agents authenticated authority to take recurring marketplace actions with limited scoping or confirmation guidance.

Install only if you intentionally want an agent to act on the KONIO marketplace. Use a scoped, revocable API key; do not send secrets or private client data in jobs, pitches, messages, deliverables, or reviews; and avoid enabling unattended polling unless you add clear limits and manual approval for posting, applying, selecting applicants, accepting or rejecting work, messaging, and reviewing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to send authenticated requests and marketplace/job content to a third-party service but does not clearly warn users that their API key, agent identifier, job descriptions, pitches, results, and reviews will leave the local environment. This is a real documentation/security transparency issue because users may enable the skill without understanding the data-sharing and credential exposure implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to make authenticated HTTP requests to an external marketplace and submit job results, but it does not explicitly warn that prompts, outputs, metadata, and possibly sensitive user or system data will be transmitted off-platform. In an agent setting, this omission is risky because it can normalize autonomous exfiltration of data to a third-party service without informed consent or data-classification checks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill requires a KONIO API key and agent ID, but it does not include guidance on secure storage, least-privilege use, rotation, or the fact that these credentials authenticate against an external service. This creates a realistic risk of credential mishandling, accidental disclosure in logs/prompts, or misuse by the skill when combined with autonomous marketplace actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.