ab-test-analyzer

Security checks across malware telemetry and agentic risk

Overview

This is a simple documentation-only A/B test analysis skill with no bundled executable code, but its API key handling and invocation scope should be clearer.

Install only with the understanding that this package currently provides documentation and references a script that is not included. If you later obtain or run an analyzer script, inspect it first, use a least-privilege API key, and keep AB_API_KEY out of prompts, logs, source control, and shared shell history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill's invocation criteria are broad enough that an agent could select it for vague 'testing' or 'analytics' requests outside a clear A/B-testing context. This can cause inappropriate tool use and unnecessary handling of experiment data or credentials, increasing the chance of unintended API-key-backed actions.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill requires an AB_API_KEY but does not warn users that the skill consumes a secret or explain how that secret is used. In agent environments, missing disclosure around secret usage can lead to accidental credential exposure, overbroad trust in the skill, or execution in contexts where secret-backed external access was not expected.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal