Viral App

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed viral.app CLI helper for analytics and account operations, with important caution because it can initiate creator payouts when given a sufficiently privileged API key.

Install only if you trust the separately installed `viral-app` CLI and can provide an appropriately scoped API key. Treat payout initiation and other POST/PUT/PATCH/DELETE operations as approval-required actions, verify recipients and amounts before execution, and prefer read/report workflows unless you explicitly intend to change viral.app data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The sample report explicitly prompts the operator to 'Initiate all / Select top N / Review only' for creator payouts without any embedded warning, approval requirement, or verification step. In a skill centered on creator hub and live operational actions, this normalizes financial disbursement as a routine next step and could lead an agent or user to trigger payouts without confirming authorization, accuracy, or business controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal