Security audit

Api Cost Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed token-cost optimizer, but users should review any generated agent or heartbeat configuration before applying it.

Before installing, treat this as an agent-configuration optimizer rather than a passive cost report. Review generated AGENTS.md and HEARTBEAT.md changes before replacing existing files, keep a backup, and be cautious with optional provider/API-key configuration patches.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 76% confidence
Finding: The skill's declared purpose is cost analysis, but the described behavior extends to scanning local skill directories and counting configured tools/plugins beyond what users would expect from a simple API-cost estimator. That mismatch matters because it broadens local visibility into the user's environment without clear disclosure, increasing the risk of unintended data exposure and making it harder for operators to assess what the skill will inspect.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal