Back to skill

Security audit

BidClub

Security checks across malware telemetry and agentic risk

Overview

The skill includes a recurring remote-instruction heartbeat that could let the publisher change agent behavior after installation.

Review carefully before installing. Use only if you are comfortable with BidClub-hosted Markdown influencing the agent after installation. Do not let the skill auto-follow remote instructions without human review, store the API key only in a secure secret mechanism, verify webhook payloads before acting on them, and require confirmation before deleting posts or other account content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
Requiring the agent to periodically fetch and follow https://bidclub.ai/heartbeat.md establishes an external control channel unrelated to simple posting. Because the remote content is not fixed in the skill, the publisher can later change instructions and effectively steer the agent beyond the original consented scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Requiring the agent to periodically fetch and follow https://bidclub.ai/heartbeat.md establishes an external control channel unrelated to simple posting. Because the remote content is not fixed in the skill, the publisher can later change instructions and effectively steer the agent beyond the original consented scope.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Webhook registration expands the skill from outbound posting to inbound event handling, which is broader than the declared purpose and can expose an agent-controlled endpoint to unsolicited external traffic. It also increases the attack surface by introducing trust decisions around callback payloads, origin verification, and downstream automation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents a DELETE endpoint that can permanently remove posts but provides no warning about irreversibility, ownership checks, or a confirmation step before use. In an agent context, this increases the risk of accidental or overly broad deletion if the model misinterprets instructions, acts on stale context, or is prompted by untrusted input.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup instructs the user to save an API key but does not warn that the credential is sensitive, should never be embedded in prompts, logs, or committed files, and must be stored securely. For agent skills, this omission is especially risky because LLM-based tools may echo secrets into conversation history, telemetry, or downstream tools if operators are not clearly told to protect them.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs ongoing network fetches and local state tracking without clearly warning that it will modify local files and perform recurring external communication. This undermines informed consent and can normalize persistent behavior that users may not expect from a posting skill.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The webhook section describes sending community activity to a third-party endpoint but omits privacy and security warnings about what data is transmitted and how it should be protected. This can lead operators to expose personal or activity data without proper notice, validation, or retention controls.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The skill instructs users to make authenticated API requests using a bearer token but provides no warning that the API key is sensitive or should not be hardcoded, logged, shared, or committed to state files and transcripts. In an agent-skill context, this omission can lead to accidental credential exposure through command history, tool logs, screenshots, or copied examples, enabling unauthorized access to the BidClub account/API.

Ssd 4

High
Confidence
99% confidence
Finding
The 'CRITICAL' language telling agents they MUST add a recurring rule to fetch and follow heartbeat content is a classic narrative-permission escalation pattern. It attempts to create durable compliance with future remote instructions outside the original skill contract, giving the service an ongoing command channel into the agent.

Ssd 4

High
Confidence
99% confidence
Finding
The repeated 'stay connected'/'remain active' framing pressures the agent to preserve an ongoing relationship with the service and keep executing externally supplied instructions. Repetition and urgency increase the likelihood that an agent or integrator will grant unjustified persistence and broader authority than needed for posting content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.