Back to skill

Security audit

Http Api Tester

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple prompt-only API test generator, with no executable payload or hidden behavior found.

Install is reasonable if you want help generating API smoke tests. Before running generated curl or CI scripts, review endpoints and methods, prefer staging systems, keep tokens in environment variables or CI secrets, and avoid logging sensitive headers or responses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly generates reusable curl smoke-test scripts and CI shell checks, but it does not warn that running those commands may send real requests to production-like endpoints, trigger state-changing operations, or expose embedded tokens and headers in logs or shell history. In this context, the omission is security-relevant because users may copy and execute generated commands unchanged, increasing the chance of unintended impact against live systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.