Back to skill

Security audit

CORE CONSTITUTION MANIFEST API Spec v1.0.2

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only API spec with a disclosed public demo key, so it is not unsafe by itself but the key should be treated as public test access.

Before installing, treat the included key as public demo-only and do not use it for production, private data, or trusted access. Verify the service owner and review the referenced conformance test suite separately before installing or running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The document publicly exposes what appears to be a live governance API key and pairs it with privileged governance endpoints, including validation, status, audit, and interactive query services. Even if labeled as an 'experience' key, publishing reusable authentication material in a spec encourages unauthorized access, abuse, scraping, and possible pivoting into internal governance services—especially because the same document notes the key is used via the X-Governance-Key header and that some services run on localhost:8701, suggesting trust boundary confusion.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.