Init Kb

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it handles API keys and persistent workspace changes in ways users should review carefully before installing.

Install only if you are comfortable sending selected URLs and profile content to Firecrawl and storing the resulting KB locally. Prefer setting FIRECRAWL_API_KEY yourself instead of pasting it into chat, avoid saving .firecrawl/api-key.txt unless you protect and ignore it, review every URL before scraping, and require a diff before AGENTS.md or CLAUDE.md is changed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill instructs users to persist the Firecrawl API key in shell startup files such as ~/.zshrc or ~/.bashrc, which broadens credential exposure beyond this task. That makes the secret available to future shells, unrelated tooling, and possibly other processes or users on shared systems, increasing the blast radius of compromise.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad enough that ordinary user requests like 'build kb' or 'set up kb' may activate a workflow that asks for secrets, scrapes external sites, writes files, and modifies workspace state. Over-broad activation raises the risk of unintended execution of sensitive actions without sufficiently explicit user intent.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger section lacks scope boundaries for when the skill should not run, which increases the chance that casual discussion about a KB will invoke credential collection, scraping, and persistence behavior. In a multi-skill or conversational environment, this ambiguity can cause unintended sensitive operations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill introduces API-key collection and local storage early, but does not present a prominent, upfront credential safety warning before asking for or handling the secret. Users may paste secrets into logs or shared chat contexts without understanding retention and exposure risks.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad and natural-language based, which can cause accidental or unwanted invocation during ordinary conversation. In this skill's context, unintended activation is more dangerous because it can lead to website scraping, follow-up prompts for secrets like API keys, and writes to workspace storage, all of which have side effects and potential privacy or cost implications.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The walkthrough describes checking for and saving a Firecrawl API key in workspace storage but does not clearly warn users that the key may be persisted in plaintext under .firecrawl/api-key.txt. This is dangerous because users may disclose sensitive credentials without informed consent, and plaintext workspace storage increases the chance of later exposure to other tools, agents, logs, backups, or collaborators.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill explicitly tells users to paste an API key into chat and then persist it to .firecrawl/api-key.txt, creating both conversational exposure and long-term local retention of a secret. Chat systems, transcripts, and local files are common leakage points, so this materially increases the chance of credential compromise.

Ssd 3

Medium

Confidence: 84% confidence
Finding: A persistent correction log can accumulate user-provided details over time, including sensitive business, legal, or personal information that was only meant to refine outputs in context. Even though the feature is framed as usability, long-term retention expands the privacy and data exposure surface.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The workflow instructs the system to append every correction to a durable file, encouraging indiscriminate retention of user inputs beyond the immediate task. Over time this can create a shadow record of sensitive operational details, mistakes, preferences, and internal facts that may be exposed or misused.

External Transmission

Medium

Category: Data Exfiltration
Content: For each social profile and important link, scrape individually: ```bash curl -s -X POST "https://api.firecrawl.dev/v1/scrape" \ -H "Authorization: Bearer $FIRECRAWL_API_KEY" \ -H "Content-Type: application/json" \ -d '{"url": "<url>", "formats": ["markdown"]}' \
Confidence: 82% confidence
Finding: https://api.firecrawl.dev/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal