Back to skill

Security audit

OnlyFans API Access

Security checks across malware telemetry and agentic risk

Overview

This is a coherent OnlyFansAPI analytics helper, but it should be used carefully because it can access sensitive account, revenue, subscriber, and link-performance data.

Install only if you intend to let an agent query OnlyFansAPI.com with your API key. Treat the key and returned analytics as sensitive, prefer a least-privilege or read-only key if available, keep requests scoped to the specific report you need, and review any generated curl command before it runs if it targets a domain other than app.onlyfansapi.com or tries to read local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger text says to use the skill for 'anything related to OnlyFans,' which is overly broad for a capability that accesses sensitive agency analytics and linked account data. This can cause the agent to invoke the skill for loosely related requests and unnecessarily expose or process private financial and performance data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explains how to query account analytics across all connected models but does not clearly warn that it will access sensitive financial, subscriber, and performance data. Without an upfront privacy/data-access warning, users may not realize the scope of data retrieval, increasing the risk of inadvertent disclosure or over-collection.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.