Back to skill

Security audit

REST API Tester

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward REST API testing skill, with expected network requests and optional local reports, but users should handle tokens and report files carefully.

Install only if you need a command-line API tester. Use staging endpoints and least-privilege test tokens when possible, verify URLs before sending Authorization headers or request bodies, be careful with POST/PUT/PATCH/DELETE and benchmark or test-all runs, and review or delete generated HTML reports if responses may contain secrets, personal data, or internal details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes capabilities to make network requests and generate HTML reports, which implies network access and file writing, yet no permissions are declared. This can mislead users or enforcement systems about what the skill is able to do, reducing transparency and weakening security review.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The statement 'No external API calls' is contradicted by the rest of the skill, which is explicitly built to send HTTP requests to user-specified endpoints. Misrepresenting network behavior is dangerous because it may cause users to expose internal endpoints, credentials, or sensitive payloads under a false assumption of no outbound communication.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples encourage sending Authorization headers and request bodies to remote APIs without any warning about secrets handling or data sensitivity. In practice, users may paste bearer tokens, session credentials, or private data into commands that transmit them to third-party or unintended endpoints.

External Transmission

Medium
Category
Data Exfiltration
Content
# Test with custom headers
python3 skills/api-tester/scripts/api_tester.py \
  --url https://api.example.com/secure \
  --headers '{"Authorization":"Bearer token123"}'
```
Confidence
91% confidence
Finding
https://api.example.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.