Back to skill

Security audit

GetPost Domains API

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is clearly for domain, DNS, and email setup, but users should confirm any registration or DNS change before running it.

Install only if you want an agent to work with GetPost domain management. Keep the API key secret, prefer read-only check and pricing endpoints first, and require confirmation of the exact domain, price or credits, DNS record values, and email/redirect changes before allowing any POST request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents a domain registration flow that automatically performs consequential actions such as domain purchase, DNS zone creation, nameserver changes, email authentication setup, and redirects, but it does not prominently warn that these actions can incur cost and are operationally disruptive or difficult to reverse. In an agent context, this increases the chance of unintended purchases or configuration changes being triggered without informed user confirmation.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.