Kairoa CLI

Security checks across malware telemetry and agentic risk

Overview

The only reported issue is an API-key handling hygiene concern, not evidence of hidden or malicious behavior.

Install only if you are comfortable providing the required API key. Prefer setting secrets through environment variables, a secret store, or a secure prompt, and avoid copying examples that put real keys directly after -k or --api-key on the command line.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly demonstrates passing API keys via the `-k/--api-key` command-line flag, including a literal-looking secret format and shell-expanded secret variables. Command-line arguments are commonly exposed through shell history, process listings, audit logs, and terminal recording, so normalizing this pattern increases the chance of credential disclosure.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal