Back to skill

Security audit

API Doc Generator

Security checks across malware telemetry and agentic risk

Overview

This is a small instruction-only skill for generating API documentation from user-provided code, with no evidence of hidden access, persistence, credential use, or exfiltration.

Reasonable to install for API documentation generation. Be aware that generic OpenAPI or Swagger mentions may invoke it unexpectedly, and only provide source code you are comfortable processing in the active agent session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase "API文档" is generic enough to match normal user discussion about API documentation, not just an explicit request to invoke this skill. That can cause unintended activation, leading the agent to analyze code or generate structured outputs when the user only wanted conceptual help, which is a scope-control and prompt-routing risk.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "API文档" is very broad and can match many ordinary user requests that are not specifically asking to invoke this skill. Overbroad activation increases the chance of unintended skill routing, causing the agent to process arbitrary code snippets or generate misleading documentation in contexts where this skill was not explicitly desired.

Vague Triggers

Low
Confidence
87% confidence
Finding
The standalone trigger "openapi" is ambiguous because users may mention the term in discussion, troubleshooting, comparison, or education contexts without requesting this skill. This can lead to accidental activation and inappropriate interception of general conversations.

Vague Triggers

Low
Confidence
87% confidence
Finding
The standalone trigger "swagger" has the same ambiguity problem as "openapi" and may appear in many benign contexts unrelated to skill invocation. This broad matching can cause unintentional routing and reduce predictability of the system.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.