Statamic AI Gateway

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Statamic content-management gateway, but its setup and use can change real site content if pointed at production.

Install only if you trust the Statamic AI Gateway addon and the sites you configure. Keep sites.json private, use scoped or rotated tokens where possible, and run the write test only against a staging site or a disposable slug you are prepared to clean up.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The installation guide tells the user to perform a write-path smoke test that creates or updates remote content, but it does not prominently warn that this step will modify the target Statamic site. In a multi-site or production environment, a user may run this against a real site and unintentionally alter content, making this an unsafe setup practice rather than a code-execution flaw.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal