Get public holidays by country and year

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward public-holiday lookup skill that uses a disclosed Apipick API key and API endpoint, with no hidden code or persistence.

Install only if you are comfortable letting your agent send country and year holiday lookups to Apipick using your APIPICK_API_KEY. Configure the key through the environment or an approved secrets mechanism rather than pasting it into chat, and monitor API credit usage.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly tells the agent to ask the user for their API key if the environment variable is not set, which can normalize collecting secrets through ordinary conversation. That creates unnecessary credential-handling risk because users may paste long-lived API keys into chat, where they may be logged, retained, or exposed to downstream systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal