Back to skill

Security audit

Ultimate Flashcards / Podcasts Tutor

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward EchoDecks API skill, with privacy and credential-handling caveats users should understand before use.

Install only if you trust EchoDecks with the study materials, deck data, review activity, and account details involved in your requests. Keep ECHODECKS_API_KEY private, do not paste secrets or regulated data into generation inputs, and remember that generation/review actions may change your EchoDecks account and consume credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes a service-level API key and endpoints that return sensitive user information such as email, credit balance, and study stats, but it provides no security guidance on secret handling, least-privilege use, data minimization, or storage/transmission protections. In an agent skill context, this omission is dangerous because implementers may embed the key in prompts, logs, client-side code, or send broad data to downstream tools, increasing the chance of credential leakage and unauthorized access to user data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly promotes external API integration, AI card generation from arbitrary user-provided text, and podcast synthesis, but does not warn users that their study materials may be transmitted to a third-party service. This creates a meaningful privacy and data-handling risk, especially because users may input sensitive educational, professional, or health-related content without realizing it leaves the local environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly integrates with an external API and includes tools like AI card generation that may send user-provided topic or source text off-platform, but it does not warn users that potentially sensitive content could be transmitted to a third party. This creates a real privacy and data-governance risk because users may unknowingly submit confidential study materials, personal notes, or proprietary text to an external service.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The documented tools include state-changing operations such as creating decks and submitting reviews, but the skill does not clearly warn that these actions modify the user's account data. Without that notice, a user may invoke the skill expecting read-only behavior and unintentionally alter study records, deck contents, or spaced-repetition history.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.