Botlington Agent Token Audit

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for a paid Botlington audit API, with expected external data sharing and API-key use disclosed.

Install only if you are comfortable using Botlington as an external paid audit provider. Before running an audit, confirm credit usage, keep the API key private, and remove secrets, customer data, or unnecessary proprietary prompt/configuration details from anything submitted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly encourages sending detailed agent configuration, prompts, schedules, tool lists, and context strategies to a third-party endpoint, but provides no privacy, minimization, or consent warning. In practice, these configs can contain sensitive operational metadata, proprietary prompts, internal architecture details, and possibly embedded secrets, so undisclosed external transmission creates a real confidentiality and compliance risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation tells users to obtain and set an API key but does not warn against exposing it in logs, shell history, screenshots, source control, or client-side contexts. That omission can lead to credential leakage and unauthorized use of the paid audit service or access tied to the account.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal