Back to skill

Security audit

Api Tmp

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only API reference, but it includes many copy-ready examples for high-impact live actions without consistent safety warnings.

Install only if you want a broad API reference and are comfortable reviewing commands before use. Treat all POST, PUT, PATCH, and DELETE examples as potentially live actions: use test accounts or sandboxes, least-privilege tokens, dummy recipients, and explicit confirmation before running anything involving money, trading, customer data, public posts, messages, or deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (69)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Anthropic vision example explicitly demonstrates sending image content and prompts to a third-party AI service, but the documentation provides no privacy, consent, or data-handling warning. In a skill intended as copy-pastable API guidance, that omission can cause users to upload sensitive images or prompts without understanding retention, vendor processing, or regulatory implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Perplexity section describes search-backed prompts but does not warn that user input may trigger external web retrieval and broader disclosure beyond a normal model prompt submission. That missing warning is security-relevant because users may assume prompts stay only within the API provider, when the product behavior inherently expands data exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The ElevenLabs section highlights voice cloning capability without any caution about consent, biometric sensitivity, impersonation risk, or handling of voice samples. Because voice data can be highly sensitive and subject to legal or policy restrictions, omitting those warnings materially increases misuse risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Sentry example performs a state-changing action by resolving an issue, but the documentation does not warn that running the command will modify production incident state. In an API reference skill, users may copy-paste examples directly, so undocumented write operations can cause accidental operational changes and loss of visibility into unresolved errors.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Algolia example includes a DELETE request that removes an object, but there is no warning that the operation is destructive and may permanently remove indexed data. In reference documentation, this increases the chance of accidental data deletion when users test commands against real indices.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This file is a communication API reference that includes many ready-to-run examples for sending SMS, email, chat messages, webhooks, and meeting creation, but it provides no warning about consent, privacy, billing impact, or accidental real-world delivery. In documentation intended for agent skills, that omission is security-relevant because users or agents may execute examples against live services and unintentionally transmit data or contact third parties.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The authentication examples show credential-bearing requests using highly sensitive API keys without an explicit warning to avoid exposing, logging, or using privileged keys in client-side contexts. In this skill, multiple services are documented together, and users may copy/paste examples directly, increasing the risk of accidental secret leakage or misuse of elevated credentials such as Supabase service_role keys.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document includes destructive API examples such as deleting infrastructure resources without any warning, confirmation guidance, or indication that the action is irreversible and can cause service disruption or data loss. In a skill intended as an API reference, this omission increases the chance that an agent or user copies a dangerous command directly into production use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents retrieval and mutation of environment variables and uses secret-bearing headers, but it does not warn that environment-variable endpoints may expose sensitive configuration or that example payloads can normalize putting secrets directly into commands. This can lead to accidental disclosure in logs, shells, screenshots, or agent traces, especially when used by automation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Drift examples include live write operations such as creating/updating contacts and sending conversation messages, but the documentation provides no caution that these calls mutate production customer data and may contact real users. In an agent skill context, users may copy or execute examples directly, making accidental customer-impacting actions more likely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The Crisp section shows commands that send messages, update people profiles, and change conversation state without warning that they affect live customer communications and support workflow. Because this skill is an API reference intended for operational use, omission of safety cues increases the chance of unintended outbound messages or workflow disruption.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The Front examples include replying to customer conversations, creating contacts, and reassigning conversations, all of which can alter customer communications and team workflow. Without cautionary text, an agent or user may treat them like safe reference snippets and trigger real operational changes.

Missing User Warnings

High
Confidence
98% confidence
Finding
The Customer.io section includes customer deletion and transactional messaging examples but does not warn that these calls can delete records or send live communications. In a marketing automation context, accidental execution can cause irreversible data loss and unintended customer outreach at scale.

Missing User Warnings

High
Confidence
98% confidence
Finding
The Braze examples cover user tracking, message sending, campaign triggering, and user-data export, but provide no warnings about privacy-sensitive processing, outbound messaging, or bulk operational effects. Given Braze's use for large-scale engagement, misuse could affect many users and expose sensitive customer data.

Missing User Warnings

High
Confidence
97% confidence
Finding
The Iterable section contains examples that update user profiles, track events, send email, trigger workflows, and register device tokens without warning about live production effects. In a campaign automation platform, these operations can change user state and initiate real communications or downstream automations.

Missing User Warnings

High
Confidence
97% confidence
Finding
The Klaviyo examples show profile updates, event tracking, list subscriptions, and campaign creation with no warning that these actions can modify audiences and initiate marketing workflows. Because the examples are ready-to-run and server-side authenticated, accidental use could impact real subscriber data and messaging campaigns.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The Wise transfer example shows how to initiate a money transfer without an explicit warning that it can move real funds if used against production with valid tokens. In a payment/API reference skill, omission of environment-selection and irreversible-action warnings increases the chance of accidental live transfers by users copying commands verbatim.

Missing User Warnings

High
Confidence
95% confidence
Finding
The Coinbase 'Send Crypto' example demonstrates an irreversible asset transfer without warning that blockchain transfers cannot usually be undone and may result in permanent loss if misaddressed. Because this is a copy-pastable API example in a payments/trading context, the missing caution materially raises user risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Binance order example places a live market order but does not warn that executing it with real API keys will trade assets immediately and may incur financial loss. In trading documentation, lack of a testnet/live-environment warning is a meaningful safety issue because users often copy examples directly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Alpaca create-order example omits a warning distinguishing paper trading from live trading, even though the file separately lists different base URLs. Users may accidentally submit real stock orders if they use production credentials and endpoint values from surrounding documentation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This reference file includes many create, update, delete, cancel, and upload examples across productivity SaaS APIs, but it does not pair those examples with safety guidance such as confirmation prompts, dry-run suggestions, or warnings before mutating live data. In an agent-skill context, users or downstream agents may copy these examples directly, increasing the risk of unintended data modification across connected third-party accounts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The OneSignal/Courier/Knock/Novu examples include live notification sends and creation of user/subscriber records using contact data, but they do not clearly warn that running these commands can send real outbound communications or modify production user data. In an API reference skill, users may copy-paste examples directly, so the missing caution materially increases the risk of accidental spam, privacy-impacting writes, or test traffic hitting real recipients.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Reddit authentication example uses a password grant with `-u "CLIENT_ID:CLIENT_SECRET"` and inline `username`/`password` parameters on the command line, which can expose secrets via shell history, process listings, logging, and copied documentation snippets. In an API reference skill, users are likely to copy-paste commands directly, so the lack of any warning or safer alternative makes this a real credential-handling risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Intercom examples perform live reads and writes of customer support data, including contact creation, search, conversation replies, and in-app messaging, without any warning that these operations may affect real users or expose personal data. In a reference skill, this can lead users to run examples unchanged against production workspaces, causing privacy issues and unintended customer-facing actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Zendesk examples include creating tickets and updating tickets with public comments, but they do not warn that these actions can alter live support records and send customer-visible responses. Because this is operational support data, accidental use in production can create audit, privacy, and business-process harm even if the examples are technically correct.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
apis/media.md:207

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
apis/payments.md:423