Api Gateway 1

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed API gateway, but it gives agents broad authenticated access to many third-party services with too little safety guidance for destructive or high-impact actions.

Review before installing. Use this only with accounts and OAuth scopes you are comfortable letting an agent access. Treat delete, send, share, admin, billing, advertising, and webhook setup actions as high-risk, and require explicit confirmation of the exact service, account, object IDs, recipients, and destination URLs before execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (56)

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The activation guidance says to use the skill whenever users want to interact with external services, which is very broad for a capability that can perform arbitrary authenticated API actions across many providers. In an agent setting, this increases the chance the skill is invoked in contexts where the user did not explicitly intend third-party side effects, creating unnecessary risk of data access, modification, or deletion.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill exposes broad passthrough access to native third-party APIs, including create, update, and delete operations, but does not prominently warn that using it can modify or remove user data in connected services. In practice, this can lead an agent or user to treat the skill like a read-only integration when it is actually a high-privilege action surface spanning many SaaS platforms.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The reference documents a destructive delete operation for tasks without any guidance to require explicit user confirmation, validate task identity, or warn that the action is irreversible. In an agent context, this increases the chance that a prompt-injected or mistaken instruction could cause unauthorized or accidental data deletion in a user's connected Asana workspace.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The webhook example enables sending Asana event data to an arbitrary target URL but does not warn that this creates ongoing outbound transmission to third-party infrastructure. In an agent setting, this can be abused to exfiltrate task or project metadata to attacker-controlled endpoints under the guise of automation setup.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The reference documents create, update, and delete operations against a live CRM without any warning that these actions modify or permanently remove remote customer data. In an agent skill context, omission of explicit safety guidance increases the chance an agent will perform destructive actions without confirmation, leading to unintended data loss or integrity issues in a user-authorized Attio workspace.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation exposes a destructive operation (`PUT .../status/trashed.json`) without any warning that it deletes or trashes user content, and without guidance to require explicit user confirmation before invoking it. In an agent skill that can translate natural-language requests into API calls against a user's authorized Basecamp workspace, this increases the risk of accidental or socially engineered destructive actions.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The reference documents destructive operations such as project deletion without any warning, confirmation guidance, or indication of reversibility. In an agent-facing skill, this increases the chance that an LLM or downstream caller will invoke data-destructive actions automatically or with insufficient user consent.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The reference documents destructive actions such as publish, cancel, and delete without any guidance to require explicit user confirmation, authorization checks, or safe-handling patterns. In an agent skill that translates natural-language requests into API calls against user-authorized Eventbrite accounts, this increases the risk of accidental or socially engineered destructive operations.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The reference documents async callback support for transcript and summary retrieval via a user-supplied destination_url, but provides no warning that these endpoints can send highly sensitive meeting content to arbitrary external systems. In an agent skill context, this omission increases the chance that an LLM or user will configure exfiltration of confidential meeting data to an unintended or untrusted webhook endpoint.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The webhook creation example enables delivery of transcript, summary, and action-item content to an external destination without any privacy, consent, or data-handling warning. Because these payloads can contain full meeting contents and derived sensitive insights, the example normalizes broad outbound data transfer and could lead agents or users to create unsafe integrations that leak confidential business or personal information.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The reference documents endpoints for listing, creating, updating, and deleting contacts without any caution that these operations handle privacy-sensitive personal data. In an agent context, omission of consent, minimization, and verification guidance increases the risk that the agent will retrieve or mutate user/contact records inappropriately, causing privacy violations or unauthorized data changes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The newsletter example shows how to send outbound email to external recipients but omits any warning that this action has real-world effects and can contact large audiences. In an agent-driven integration, lacking a confirmation or safety note can enable accidental or unauthorized mass messaging, with reputational, legal, and operational consequences.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The reference includes ready-to-use Google Ads mutate examples that create campaigns and enable campaign status, but it does not warn that these calls modify live ad account state and may incur spend or operational impact. In an agent skill that routes authenticated requests to user-authorized third-party services, this increases the risk that an agent or user will execute destructive or costly actions without adequate confirmation or sandbox guidance.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document explicitly states that authentication is automatic and that the router injects the OAuth token, but it does not pair that with any warning that requests are credentialed actions performed against the user's connected Google Analytics account. In an agent skill context, this can normalize silent authenticated operations and increase the risk of unintended account enumeration or configuration changes if downstream prompts or agents invoke these endpoints without clear user confirmation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Stating that authentication is automatic because the router injects the OAuth token normalizes authenticated access without warning that all requests run with the user's connected third-party privileges. In an agent skill, this can lead to overbroad or insufficiently transparent access to sensitive BigQuery data if downstream agents or users do not realize requests are authenticated.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: This reference includes examples for deleting, moving, copying, and sharing Google Drive files without any user-facing caution that these operations can modify access or expose data. In an agent skill that brokers OAuth-backed access to real user Drive contents, omission of safety guidance increases the chance an agent or integrator will invoke high-risk actions without confirmation or least-privilege handling.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The upload and content-replacement examples show how to transmit new file contents and overwrite existing files, but they do not warn that sensitive data may be uploaded to third-party storage or that existing content may be irreversibly replaced. Given this skill connects to user-authorized external services, missing guardrails can lead to accidental exfiltration or data loss through agent misuse or misunderstanding.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The reference explicitly documents email-sending, draft-sending, label modification, and trash operations but provides no warning that these actions can transmit data externally, alter mailbox state, or delete user content. In an agent-facing skill, this increases the chance that downstream agents invoke sensitive Gmail operations without meaningful user confirmation, causing privacy violations or destructive actions under a valid OAuth connection.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The reference documents multiple state-changing and destructive Google Play operations such as deleting products, canceling subscriptions, replying to reviews, and committing or deleting edits without any cautionary guidance, confirmation requirements, or mention of user-consent safeguards. In an agent skill that connects to live third-party services, this increases the risk that an LLM or user prompt could invoke high-impact actions without adequate friction or awareness.

Missing User Warnings

Medium

Confidence: 72% confidence
Finding: Stating that authentication is automatic because the router injects the OAuth token can normalize silent authenticated access without reminding consumers that requests act on a user's connected Google Tasks account. In an agent skill context, this increases the risk of overbroad or unintended data access if downstream instructions or prompts cause actions to be taken without clear user awareness.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This reference documents highly sensitive administrative actions including account creation, deletion, privilege elevation, role assignment, and org-unit deletion without any embedded cautions, confirmation requirements, or least-privilege guidance. In an agent skill context, such omission increases the risk that an LLM or downstream integrator will invoke destructive or privilege-changing operations based on ambiguous or unverified user prompts.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The reference explicitly documents destructive operations such as product deletion and state-changing updates without any cautionary language, confirmation requirements, or guidance to verify user intent. In an agent skill that can broker API actions across OAuth-connected services, this increases the chance that an LLM or integrator will invoke irreversible actions from ambiguous prompts.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: Documenting webhook creation without warning that it sends future Gumroad event data to an arbitrary external URL can enable unintended exfiltration of sales, subscriber, or subscription-related information. In this skill context, managed OAuth makes the downstream API access legitimate, so the main risk is silent data routing to attacker-controlled infrastructure.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The reference documents multiple destructive and outbound-email operations such as deleting campaigns, leads, accounts, replying/forwarding email, and enabling sending-related features without any cautionary guidance, confirmation expectations, or indication that these actions should require explicit user intent. In an agent skill that connects to live third-party services, this increases the risk that an agent could perform high-impact real-world actions from ambiguous or prompt-injected requests.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The reference documents a destructive Jira action (issue deletion) as a normal operation without any warning, confirmation guidance, or statement that deletion is irreversible. In an agent skill context, this increases the chance an agent or user will invoke a destructive endpoint without sufficient scrutiny, causing accidental loss of tickets and associated workflow history.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal