Skillfully - Agent Skill Analytics

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward API guide for Skillfully, with expected external login and bearer-token handling but no hidden code or automatic behavior.

Install only if you intend to use Skillfully's hosted service. Use an account you control, verify the domain before sending requests, treat email codes and bearer tokens as secrets, avoid exposing tokens in prompts or logs, and review any generated feedback snippet before adding it to another skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs users to obtain and use bearer tokens for authenticated API calls but does not warn that the email address, login code, access token, and returned token metadata are sensitive secrets. In an AI runtime, such credentials may be logged, echoed into chat history, stored in shell history, or exposed to other tools, which can enable account takeover or unauthorized API access if mishandled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal