Security audit

Dinobase

Security checks across malware telemetry and agentic risk

Overview

Dinobase is a coherent business-data integration skill, but users should handle API keys and write-back permissions carefully.

Install only if you need Dinobase to connect to your business systems. Use least-privilege or test API keys, avoid pasting production secrets into visible command lines when a safer secret mechanism is available, review which sources are connected, and confirm write-back previews only when you intend to modify upstream accounts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly instructs the agent to collect and pass third-party API keys on the command line, but it does not warn that these secrets are highly sensitive or constrain how the agent should handle them. In agent environments, secrets entered into commands may be exposed through logs, shell history, transcripts, process listings, or accidental echoing back to the user, which creates a realistic credential-leak risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal