Integrate You.com web tools with Vercel AI SDK

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward You.com AI SDK integration guide, with no hidden, destructive, or deceptive behavior found.

Before installing, review and pin the npm dependency as appropriate, keep the You.com API key in an environment variable or secret manager, do not commit secrets, and avoid sending sensitive prompts, private URLs, or regulated data through the added tools unless your application and provider agreements allow it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs users to integrate external You.com tools that can send prompts, search queries, and URLs to a third-party service, but it does not disclose that data egress clearly. In an agent/tooling context, this can lead developers to expose sensitive user input or internal URLs without informed consent or privacy review.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The skill recommends storing API keys in environment variables but does not include basic credential-handling guidance such as avoiding hardcoding, not committing .env files, and using secret managers in production. While environment variables are standard practice, omitting these warnings increases the chance of accidental credential exposure.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal