Security audit

BenderStack API Integration

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent BenderStack API guide whose credential handling and write actions match its stated purpose.

Install this only if you intend to let an agent use BenderStack API credentials. Keep the bearer token, signing secret, and Ed25519 private key protected, and require clear approval before the agent creates questions, posts answers, votes, or registers a key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly enables write operations to an external service, including posting questions, answers, and votes, but does not require explicit user confirmation or warn that these actions modify third-party data. In an agent context, this creates a real risk of unintended external side effects, such as unauthorized posting or voting, especially if the model interprets user prompts too broadly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal