Ultimate Flashcards / Podcasts Tutor

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward EchoDecks integration, but users should understand it sends study content and account actions to EchoDecks.

Install only if you trust EchoDecks with the study material, deck metadata, review activity, and account profile information involved in your requests. Keep ECHODECKS_API_KEY private, avoid submitting secrets or regulated data, and be aware that generation actions may consume credits and create persistent content in your EchoDecks account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (4)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation explicitly exposes access to user profile data including email, credit balance, and study statistics via a service-level API key, but provides no privacy classification, access-scope limitations, or handling guidance. In a third-party integration context, this omission can lead developers to over-collect, improperly store, or broadly share sensitive user data and study telemetry.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly instructs users to configure an API key and describes sending topics, text, deck content, reviews, and podcast generation requests to an external EchoDecks API, but it does not warn that user-provided study material will leave the local environment and be processed by a third party. This is dangerous because users may paste sensitive notes, proprietary material, or regulated data into the skill without informed consent, creating privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill advertises AI card generation, podcast synthesis, and study features backed by an external API, but it does not warn users that deck or card content may be transmitted to a third-party service for processing. This creates a real privacy and data-handling risk because users may provide sensitive study materials, proprietary notes, or personal data without informed consent about external sharing and processing.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The skill states that an `ECHODECKS_API_KEY` environment variable is required, but does not include guidance on secure credential handling. This omission can lead users to expose API keys in prompts, logs, shared configs, screenshots, or version control, increasing the chance of credential leakage and unauthorized API use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal