REST API Tester

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward REST API testing guide, with expected but sensitive examples involving credentials and public webhook tunnels.

Use this skill only against APIs you are authorized to test. Prefer test environments, least-privilege temporary tokens, and sanitized payloads; verify target URLs before sending credentials or state-changing requests, and treat any ngrok tunnel as public while it is running.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill encourages authenticated API calls and exposing a local webhook via ngrok, but provides no warning about sending bearer tokens, basic-auth credentials, or sensitive payloads to third-party or public endpoints. In practice, this can lead users to leak secrets or internal data during testing, especially when copying the examples verbatim.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal