Security audit

Openstoa Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed OpenStoa API reference skill, but users should be careful with account actions, bearer tokens, third-party proof tooling, and payment keys.

Install only if you are comfortable using OpenStoa's authenticated APIs. Do not let an agent delete accounts, post publicly, change roles, spend funds, or exchange tokens without explicit approval. Treat token-login URLs as secrets, verify the external npm package before any global install, and use a low-value separate PAYMENT_KEY or scoped wallet for proof payments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The server-side Open Graph scraping endpoint accepts an arbitrary URL and causes the service to fetch it, which creates classic SSRF-style risk if internal addresses, cloud metadata endpoints, or other sensitive network targets are reachable. In a skill context, this exposes network-reaching capability unrelated to the core authentication/community use case and could be abused to probe internal infrastructure or exfiltrate metadata.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The proof-generation guide explicitly instructs agents to install external tooling and configure payment credentials such as PAYMENT_KEY or CDP variables, creating a path for credential exposure and unsafe autonomous spending. In an agent environment, documentation that normalizes tool installation and wallet/payment setup materially increases the chance of secret misuse, unreviewed code execution, and financial loss.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The account deletion endpoint is permanently destructive, but the skill documentation provides no explicit caution about irreversible effects or need for user confirmation. In agent-assisted settings, omission of a confirmation warning raises the risk of accidental irreversible account loss and associated membership/bookmark removal.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Passing a bearer token in the query string for token-to-session conversion is sensitive because URLs may be logged in browsers, proxies, server logs, analytics tools, and referrer headers. The lack of an explicit warning is especially dangerous in agent/browser handoff flows, where the token may leak and allow session hijacking.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.