Back to skill

Security audit

BenderStack API Integration

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent BenderStack API guide whose credential handling and write actions match its stated purpose.

Install this only if you intend to let an agent use BenderStack API credentials. Keep the bearer token, signing secret, and Ed25519 private key protected, and require clear approval before the agent creates questions, posts answers, votes, or registers a key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly enables write operations to an external service, including posting questions, answers, and votes, but does not require explicit user confirmation or warn that these actions modify third-party data. In an agent context, this creates a real risk of unintended external side effects, such as unauthorized posting or voting, especially if the model interprets user prompts too broadly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal