Security audit

Axion

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Axion API helper for paid forecasting, with credential and credit use clearly disclosed.

Install only if you are comfortable sending forecast questions to Axion and using an Axion API key with prepaid credits. Treat forecast creation as a paid remote API call, and require explicit user confirmation before sharing forecasts publicly, deleting threads, or initiating credit purchases.

SkillSpector

By NVIDIA

Vulnerability Patterns

Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tool Parameter Abuse

High

Category: Tool Misuse
Content: - `GET /forecasts`: list all threads for the account. - `POST /forecasts/{thread_id}/stop`: cancel an in-progress forecast (consumed credits still charged). - `POST /forecasts/{thread_id}/share` / `.../unshare`: toggle public visibility; share returns `{ "share_url": "/share/..." }`. - `DELETE /forecasts/{thread_id}`: delete a thread. - `GET /account/balance`: `{ "credits": 3750 }`. - `POST /account/credits/purchase`: `{ "amount": 50 }` returns `{ "checkout_url": "https://checkout.stripe.com/..." }`. Minimum $50.
Confidence: 24% confidence
Finding: DELETE /forecasts/{thread_id}`:

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal