Back to skill

Security audit

ArkRoute

Security checks across malware telemetry and agentic risk

Overview

This is a transparent ArkRoute helper for calling an external image/video generation API, with ordinary API-key and prompt-sharing privacy risks.

Install this only if you intend to send prompts or media-generation requests to ArkRoute. Use a dedicated API key when possible, monitor billing or credit use, and avoid sending secrets, regulated data, private images, or confidential project details unless ArkRoute's data handling and any upstream provider routing are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to send prompts and media-generation requests, authenticated with an API key, to a third-party service but does not clearly warn that user inputs and associated metadata will leave the local environment. In an agent setting, prompts may contain sensitive user data, making this an information disclosure risk even if the integration is legitimate.

External Transmission

Medium
Category
Data Exfiltration
Content
## Usage — Image Generation

```bash
curl -X POST https://api.ark-route.com/v1/images/generations \
  -H "Authorization: Bearer $ARKROUTE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"model": "seedream-3.0", "prompt": "A futuristic city at sunset", "size": "1024x1024"}'
Confidence
94% confidence
Finding
https://api.ark-route.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```python
from openai import OpenAI
client = OpenAI(api_key="your-key", base_url="https://api.ark-route.com/v1")
response = client.images.generate(model="seedream-3.0", prompt="A futuristic city at sunset", size="1024x1024")
print(response.data[0].url)
```
Confidence
94% confidence
Finding
https://api.ark-route.com/

External Transmission

Medium
Category
Data Exfiltration
Content
{
  "mcpServers": {
    "arkroute": {
      "url": "https://api.ark-route.com/mcp",
      "headers": { "Authorization": "Bearer YOUR_ARKROUTE_API_KEY" }
    }
  }
Confidence
91% confidence
Finding
https://api.ark-route.com/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.