Back to skill

Security audit

articuler

Security checks across malware telemetry and agentic risk

Overview

This is a coherent networking assistant that clearly uses Articuler’s external API to generate outreach drafts and playbooks, with privacy considerations users should understand before use.

Install only if you are comfortable sending your email address, your LinkedIn profile URL, target LinkedIn profile URLs, outreach objectives, and generated outreach data to Articuler. Treat the returned token as private, avoid placing it in logs or shared files, and review any generated email before sending it yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (9)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to transmit the user's email address, verification code, and LinkedIn profile URL to a third-party API without any explicit privacy notice, consent flow, or explanation of how that personal data will be used, retained, or shared. This is a genuine privacy/security issue because the workflow also involves submitting a target contact's LinkedIn URL and user objective, expanding third-party data disclosure beyond what a user may reasonably expect.

External Transmission

Medium
Category
Data Exfiltration
Content
Send a verification code to the user's email address.

```bash
curl --location --request POST 'https://api.articuler.ai/user/send-check' \
--header 'Content-Type: application/json' \
--data '{
  "email": "your@email.com",
Confidence
93% confidence
Finding
curl --location --request POST 'https://api.articuler.ai/user/send-check' \ --header 'Content-Type: application/json' \ --data

External Transmission

Medium
Category
Data Exfiltration
Content
Log in with the user's email, captcha code, and LinkedIn profile URL. Returns a `token` required for all subsequent API calls.

```bash
curl --location --request POST 'https://api.articuler.ai/user/artclaw/login' \
--header 'Content-Type: application/json' \
--data '{
  "email": "your@email.com",
Confidence
97% confidence
Finding
curl --location --request POST 'https://api.articuler.ai/user/artclaw/login' \ --header 'Content-Type: application/json' \ --data

External Transmission

Medium
Category
Data Exfiltration
Content
Submit a playbook generation job for the current user and a target contact. This is an async API — it returns a `sessionId` immediately. Use Step 4 to poll for the result.

```bash
curl --location --request POST 'https://api.articuler.ai/user/artclaw/playbook' \
--header 'Content-Type: application/json' \
--data '{
    "token": "xxx",
Confidence
95% confidence
Finding
curl --location --request POST 'https://api.articuler.ai/user/artclaw/playbook' \ --header 'Content-Type: application/json' \ --data

External Transmission

Medium
Category
Data Exfiltration
Content
Submit a cold email generation job. Same async pattern as Steps 3–4: returns a `sessionId` immediately, use Step 6 to poll for the result.

```bash
curl --location --request POST 'https://api.articuler.ai/user/artclaw/coldemail' \
--header 'Content-Type: application/json' \
--data '{
    "token": "xxx",
Confidence
95% confidence
Finding
curl --location --request POST 'https://api.articuler.ai/user/artclaw/coldemail' \ --header 'Content-Type: application/json' \ --data

External Transmission

Medium
Category
Data Exfiltration
Content
Send a verification code to the user's email address.

```bash
curl --location --request POST 'https://api.articuler.ai/user/send-check' \
--header 'Content-Type: application/json' \
--data '{
  "email": "your@email.com",
Confidence
93% confidence
Finding
https://api.articuler.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
Log in with the user's email, captcha code, and LinkedIn profile URL. Returns a `token` required for all subsequent API calls.

```bash
curl --location --request POST 'https://api.articuler.ai/user/artclaw/login' \
--header 'Content-Type: application/json' \
--data '{
  "email": "your@email.com",
Confidence
97% confidence
Finding
https://api.articuler.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
Submit a playbook generation job for the current user and a target contact. This is an async API — it returns a `sessionId` immediately. Use Step 4 to poll for the result.

```bash
curl --location --request POST 'https://api.articuler.ai/user/artclaw/playbook' \
--header 'Content-Type: application/json' \
--data '{
    "token": "xxx",
Confidence
95% confidence
Finding
https://api.articuler.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
Submit a cold email generation job. Same async pattern as Steps 3–4: returns a `sessionId` immediately, use Step 6 to poll for the result.

```bash
curl --location --request POST 'https://api.articuler.ai/user/artclaw/coldemail' \
--header 'Content-Type: application/json' \
--data '{
    "token": "xxx",
Confidence
95% confidence
Finding
https://api.articuler.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.