REST API

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only REST API helper with disclosed local project notes and no evidence of hidden execution, network use, or data exfiltration.

Install if you want REST API design and release guidance. During first use, choose whether proactive checks and local memory should be enabled, and avoid placing secrets, tokens, customer data, or unrelated personal information in ~/rest-api/memory.md.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation criteria are broad and subjective (for example, activating whenever a user asks to design or implement REST endpoints, or proactively when work appears risky). That can cause the skill to engage outside clear user intent, potentially steering conversations, applying persistence behavior, or injecting workflow constraints when the user did not explicitly request this skill.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill directs the agent to create and update a persistent local memory file containing decisions, constraints, and pending risks, but does not require explicit user notice or consent before storing session-derived information. This creates a privacy and data-governance risk because users may not realize their project details are being retained across sessions on local storage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal