Certificaty

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for a certificate-management API; it is coherent, but users should treat private-key downloads as highly sensitive.

Before using this for real domains, verify the ToolWeb provider and confirm the API requires strong authentication, domain ownership proof, and authorization for certificate and private-key downloads. Do not use it for production certificates unless you understand how private keys are generated, stored, retained, audited, and protected.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly documents downloading `private.key` material but provides no warning, access-control expectations, or safe-handling guidance for highly sensitive key material. In a certificate-management context, exposing private key downloads without strong security caveats increases the risk of key compromise, unauthorized impersonation, and full TLS identity theft.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal