Back to skill

Security audit

Proxyllm Account

Security checks across malware telemetry and agentic risk

Overview

This skill openly does what it says, but it gives an agent broad authority to create and manage a paid LLM gateway account and sensitive API keys without enough explicit user-control safeguards.

Install only if you intentionally want an agent to create and manage a ProxyLLM account for you. Confirm before signup, payment, token storage, key creation, provider-lane changes, and any use of your Codex or ChatGPT subscription seat. Treat sk_ and pllm_ values as sensitive secrets, set budgets on routing keys, and know how to revoke them before delegating this flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill advertises very broad trigger phrases such as setting up LLM access, reducing API spend, adding provider fallback, or giving an agent keys, which can cause the agent to invoke the skill in routine conversations without a narrowly scoped, explicit user request. Because the skill performs account creation, payment-flow handling, and credential provisioning, over-broad invocation increases the chance of unintended external actions and secret handling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to handle an `account_token` described as a full management token and later to mint routing keys, but it does not begin with a clear warning that these secrets grant organization-level control and can affect billing, provider routing, and usage visibility. In an agentic setting, this omission is dangerous because it normalizes collecting, storing, and reusing highly privileged credentials without explicit user awareness or consent boundaries.

External Transmission

Medium
Category
Data Exfiltration
Content
## Introspection you can rely on

- `GET https://api.proxyllm.ai/v1/models` (no auth): live catalog.
- `GET https://api.proxyllm.ai/v1/key` (routing key auth): what this key
  routes to, which models it reaches, budget remaining.
- `GET .../v1/organizations/usage` (account token): 30-day usage.
Confidence
85% confidence
Finding
https://api.proxyllm.ai/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.