API Cost Tracker

Security checks across malware telemetry and agentic risk

Overview

This cost tracker is not exfiltrating data, but normal use silently records fake API spend, so its reports and budget alerts can be misleading.

Review before installing or automating. Do not rely on its reports, add scheduled runs, or provide API keys/webhooks until the demo data is removed or gated behind an explicit demo/test command and the real usage collection path is clear.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The CLI unconditionally inserts hard-coded demo usage records on every execution before handling the requested command. This contaminates persisted cost history and budget calculations, causing false spend reporting and potentially triggering incorrect operational or financial decisions based on fabricated data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal