Back to skill

Security audit

API Development

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only API development skill whose network, token, file, and local process examples match its stated purpose, though users should run mutating examples carefully.

Install/use this as a developer reference, not as commands to run blindly. Point examples at localhost, mocks, or test systems unless you intentionally want to change a real API; review DELETE, PUT, PATCH, upload, kill, and response-saving commands; use scoped test tokens and avoid exposing production secrets in shell history, logs, or shared output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill includes destructive API examples such as PUT, PATCH, DELETE, file upload, and later process-kill commands without warning users that these mutate remote state or terminate local processes. In an agent setting, these examples can be copied or adapted into real environments, increasing the chance of unintended data loss or service disruption.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill demonstrates authenticated and data-bearing API calls, including bearer token use and JSON payload transmission, without cautioning about secrets handling, environment selection, or sending production data to remote services. This can lead users or agents to expose credentials or sensitive payloads to unintended endpoints.

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"name": "Alice V2"}' | jq .

# DELETE
curl -s -X DELETE https://api.example.com/users/123

# POST form data
curl -s -X POST https://api.example.com/upload \
Confidence
88% confidence
Finding
curl -s -X DELETE https://api.example.com/users/123 # POST form data curl -s -X POST https://api.example.com/upload \ -F "file=@document.pdf" \ -F "description=My document" ``` ### Debug request

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"name": "Alice V2"}' | jq .

# DELETE
curl -s -X DELETE https://api.example.com/users/123

# POST form data
curl -s -X POST https://api.example.com/upload \
Confidence
88% confidence
Finding
https://api.example.com/

Tool Parameter Abuse

High
Category
Tool Misuse
Content
assert_status POST /api/users 201 '{"name":"Test","email":"test@test.com"}'
assert_status GET /api/users 200
assert_json /api/users '.[-1].name' 'Test'
assert_status DELETE /api/users/1 204

# Auth tests
assert_status GET /api/admin 401
Confidence
93% confidence
Finding
DELETE /api/users/1

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.