Back to skill

Security audit

Volcengine ARK Web Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Volcengine ARK web-search helper that uses the user's ARK API key to send search prompts to that provider.

Install only if you are comfortable sending search prompts to Volcengine ARK under your own API key. Avoid putting secrets, private documents, or regulated personal data into queries unless that is acceptable for your Volcengine account and policies, and do not override ARK_BASE_URL unless you trust the destination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill routes user queries to an external provider using the user's `ARK_API_KEY`, but the description does not prominently warn about third-party transmission of prompts and associated privacy implications. This can cause users to unknowingly send sensitive or regulated data off-platform to Volcengine, especially because the skill is framed as a generic web-search helper and encourages broad reuse in automation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.