Ultimate Flashcards and Podcast Tutor

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward EchoDecks integration that uses an API key to manage study content, with no evidence of hidden collection, persistence, or destructive local behavior.

Install this only if you trust EchoDecks with the study material and account actions you ask the agent to perform. Treat ECHODECKS_API_KEY as a secret, and confirm before running credit-consuming generation actions or sending confidential notes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The README states that `ECHODECKS_API_KEY` is required but does not clearly warn that the skill accesses a sensitive credential and uses it for remote API calls. While not evidence of credential theft by itself, this omission weakens informed consent and can cause operators to expose secrets to a skill without understanding the trust implications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal