K test

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward X/Twitter search skill that uses a user-provided xAI API key and does not show hidden or unrelated behavior.

Install only if you trust the publisher and are comfortable using an xAI API key with this skill. Treat XAI_API_KEY as a secret, avoid committing it to files or screenshots, rotate it if exposed, and expect your search queries to be sent to xAI.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The setup instructions tell users to export or store an API key but do not warn that the credential is sensitive, should not be committed to files, or should be scoped and rotated if exposed. This increases the chance of accidental leakage through shell history, screenshots, shared config files, or source control.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal