Back to skill

Security audit

cn-api-doc-writer

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese API documentation helper, but it should be reviewed because it advertises an external validation service and executable script without clear data-handling guidance.

Install only if you are comfortable with a skill that may use an external validation service for API documentation. Avoid sending private OpenAPI specs, internal source-derived docs, tokens, auth examples, or unreleased API details to the backend unless you have confirmed the operator and data-handling terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger list contains broad phrases such as general API documentation terms, which can cause the skill to activate in contexts where the user did not intend to use it. Unintended invocation is dangerous here because the skill also references remote validation and shell execution, expanding the chance of accidental data exposure or unsafe actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly mentions a real backend and an executable validation script but does not warn users that using these features may send content over the network or execute local commands. This lack of disclosure can cause users to expose sensitive API docs, internal schemas, credentials, or source code to an external endpoint or through shell-side effects without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.