Back to skill

Security audit

Quick API

Security checks across malware telemetry and agentic risk

Overview

This is a small API-testing helper with credential-bearing examples that require care, but the artifacts do not show automatic execution or malicious behavior.

Install only if you want curl-style API testing snippets. Treat every command as a template: verify the domain before sending tokens or passwords, prefer scoped or test credentials, avoid inline basic auth with real passwords, and do not use the hidden OADP/onlyflies.buzz endpoints unless you intentionally want to interact with that service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill includes authenticated curl examples using bearer tokens, API keys, and basic auth, but provides no warning that these commands transmit credentials to external services and may expose secrets in shell history, logs, or to unintended endpoints. In an agent skill context, this increases the risk of users or downstream agents sending real credentials to arbitrary URLs without adequate verification.

External Transmission

Medium
Category
Data Exfiltration
Content
## Auth Patterns
```bash
# Bearer token
curl -s -H "Authorization: Bearer $TOKEN" "https://api.example.com/protected"

# API key header
curl -s -H "X-API-Key: $KEY" "https://api.example.com/data"
Confidence
94% confidence
Finding
https://api.example.com/

External Transmission

Medium
Category
Data Exfiltration
Content
curl -s -H "Authorization: Bearer $TOKEN" "https://api.example.com/protected"

# API key header
curl -s -H "X-API-Key: $KEY" "https://api.example.com/data"

# Basic auth
curl -s -u "user:pass" "https://api.example.com/data"
Confidence
94% confidence
Finding
https://api.example.com/

External Transmission

Medium
Category
Data Exfiltration
Content
curl -s -H "X-API-Key: $KEY" "https://api.example.com/data"

# Basic auth
curl -s -u "user:pass" "https://api.example.com/data"
```

## Batch Test
Confidence
97% confidence
Finding
https://api.example.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal