Api Gateway

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad API gateway that can send data and use service tokens without clearly defined safety boundaries.

Install only if you can tightly control which APIs and credentials the skill may use. Prefer read-only, least-privilege tokens, avoid query-string secrets and broad workspace tokens, require explicit approval for POST or other write operations, and disable proactive or multi-agent use unless you have clear permission, logging, cache cleanup, and redaction rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (5)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill is explicitly designed to connect to arbitrary external REST/GraphQL APIs, send requests, and expose logs, but it does not describe any safeguards around data classification, credential redaction, destination allowlisting, or user-consent boundaries. In an agent context, this can enable sensitive prompts, user data, API tokens, or internal metadata to be transmitted to untrusted endpoints or revealed through logs.

External Transmission

Medium

Category: Data Exfiltration
Content: ``` # Agregar nueva API api add weather --base:https://api.openweathermap.org/data/2.5 --auth:query:appid:$WEATHER_API_KEY # Agregar endpoint
Confidence: 88% confidence
Finding: https://api.openweathermap.org/

External Transmission

Medium

Category: Data Exfiltration
Content: api call weather current --q:"Mexico City" --units:metric # Llamada directa con URL api get https://api.example.com/data # POST con body api post https://api.example.com/create --body:'{"name":"test"}'
Confidence: 90% confidence
Finding: https://api.example.com/

External Transmission

Medium

Category: Data Exfiltration
Content: api get https://api.example.com/data # POST con body api post https://api.example.com/create --body:'{"name":"test"}' ``` ### Gestión
Confidence: 91% confidence
Finding: https://api.example.com/

External Transmission

Medium

Category: Data Exfiltration
Content: ```yaml # apis/weather.yaml name: weather base_url: https://api.openweathermap.org/data/2.5 auth: type: query param: appid
Confidence: 84% confidence
Finding: https://api.openweathermap.org/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal