Back to skill

Security audit

snipit.sh

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward helper for uploading chosen snippets or files to snipit.sh, but users must treat uploads as sharing data with an external service.

Install only if you trust snipit.sh and the snipit-sh npm package. Before sharing, review exactly what will be uploaded, redact credentials, tokens, personal data, and production secrets where possible, and use password protection, burn-after-read, and short expirations for sensitive material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages sharing secrets, configs, logs, diffs, and .env files through a third-party service but does not clearly warn users that this transmits sensitive data off-host to an external provider. Even if the service offers encryption and access controls, users may expose credentials, tokens, internal code, or regulated data through misuse or overtrust in the tool description.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The examples normalize uploading .env files and logs, both of which commonly contain credentials, API keys, session tokens, stack traces, and internal infrastructure details. Presenting these examples without explicit caution materially increases the chance that users will exfiltrate sensitive data to an external service under the assumption that encryption alone makes it safe.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.