Back to skill

Security audit

rapidapi-launch-assistant

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate API launch helper, but it can steer an agent toward publishing listings and sending outreach without explicit confirmation safeguards.

Install only if you want an agent to help with API marketplace launch and monetization. Treat it as a planning and drafting assistant unless you explicitly approve publishing, price changes, or outbound messages. Review generated outreach, listings, pricing, and any use of API keys before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation description is broad enough to trigger on many business, API, debugging, pricing, outreach, or packaging requests that may not actually require this skill. Over-broad routing can cause the agent to enter a workflow that suggests monetization, publication, or external go-to-market actions in contexts where the user did not intend them.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to publish listings, run outreach, and package/sell workflows without any built-in warning, consent checkpoint, or distinction between drafting and executing external actions. In an agent setting, that can lead to marketplace-affecting or externally visible actions being initiated without sufficiently explicit user approval.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.