Kvstore

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward local in-memory key-value API, with normal caution needed around its unauthenticated delete and flush endpoints.

Install only if you want a local temporary key-value API. Avoid storing secrets unless you control access to the port, keep the service bound to localhost, and be aware that /v1/flush deletes all keys currently held in memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation exposes a destructive `/v1/flush` endpoint that deletes all stored keys, but it provides no warning, confirmation guidance, or mention of access restrictions. In an agent setting, this increases the chance of accidental or unauthorized full data loss, especially if the service is reachable by other local processes or tools.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal