Api Ninjas

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it needs review because its description does not match its broad Membrane-based API Ninjas access.

Review before installing. Use this only if you intend to connect API Ninjas through Membrane, trust the Membrane CLI and account connection flow, and are comfortable with the agent making authenticated API requests. Prefer confirming any proxy request or non-read action before it runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest description materially misrepresents what the skill does: it claims management of Organizations, Users, Goals, and Filters, while the body documents a broad API Ninjas integration with generic action discovery and arbitrary proxied requests. This can cause an agent or reviewer to authorize or invoke the skill under false assumptions, increasing the risk of unintended external access and overbroad capability use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal