Back to skill

Security audit

Use HL Names API

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed HL Names API helper; it makes external API calls and includes a public fallback API key, so users should avoid sensitive lookups or proprietary eval data.

Install this if you want an agent to query HL Names APIs. Prefer your own HLN key for accountable use, avoid sensitive wallet/name lookups unless you are comfortable sending them to HLN, and do not run the eval runner with proprietary prompts or secrets unless you intend to send that content to the configured model provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill hard-codes and instructs use of a built-in API key, causing agents to automatically attach a credential to outbound requests even when the user did not explicitly provide one. This creates credential-handling behavior, normalizes secret reuse across deployments, and can lead to abuse, rate-limit exhaustion, attribution leakage, or accidental propagation of the key into logs and downstream systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that live evaluations may use a built-in public agent key as a fallback, but it does not clearly warn users that requests may be authenticated with shared third-party credentials and may therefore expose prompts, metadata, usage patterns, or rate-limit interactions outside the user's own account. In a security-sensitive agent skill, silently normalizing use of embedded credentials creates avoidable privacy, attribution, and abuse-risk concerns.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill embeds and instructs default use of a concrete API key, encouraging automatic credential transmission to a third-party service. Even if labeled public, hardcoding and redistributing tokens normalizes unsafe credential handling, makes abuse and rate-limit exhaustion easier, and may cause users to unknowingly rely on shared secrets.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script silently falls back to a hard-coded public HL Names API key when HLN_API_KEY is unset. This can cause operators to unknowingly send requests under a shared credential, creating data-leakage, rate-limit, attribution, and supply-chain trust risks because users may assume calls are local or authenticated with their own account.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The runner performs live HTTP requests to the HL Names API and may send request paths and bodies derived from eval data without an explicit runtime disclosure or confirmation. In an agent-skill context, hidden outbound network activity is risky because prompts or test data may contain sensitive identifiers, and users may not realize external systems are being contacted.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends prompts, model responses, expected facts, and fail conditions to third-party LLM providers for both answering and judging, but does not warn the operator at runtime. Because the skill bundle and eval content are included in those payloads, this can leak proprietary prompts, API outputs, and potentially sensitive test fixtures to external vendors.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Publishing a built-in API key in the skill content without strong credential-handling warnings encourages unsafe copy/paste reuse and may expose the key to anyone with access to the repository, prompts, logs, or model context. Even if the key is intended to be 'public,' embedding it as a default operational credential makes misuse and silent external requests more likely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.