apix

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed API explorer that can make real API calls, so it appears safe to install if users are careful with credentials and mutating requests.

Install the CLI only from a source you trust, prefer the Homebrew route when possible, use least-privilege API tokens, and review the method, destination, headers, and payload before allowing POST, PUT, PATCH, DELETE, or production API calls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs agents to execute live HTTP requests against discovered endpoints but does not warn about external network access, side effects, or possible transmission of sensitive data in headers, query parameters, or bodies. In an agent context, this is dangerous because users may assume the skill is read-only discovery tooling when it can actually perform state-changing operations against remote services.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal