Cloudinary Cli

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for Cloudinary use, but it persists Cloudinary credentials in a project-local .env file without enough disclosure or handling guidance.

Review the credential setup before installing. Use a least-privilege Cloudinary key if possible, confirm cmd/cli/.env is gitignored and not logged, restrict file permissions, and rotate the key if it may have been committed or exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill instructs the agent to collect Cloudinary API credentials and write them into `cmd/cli/.env` without any warning about secure storage, file permissions, or persistence risk. This can expose long-lived secrets to other local users, accidental commits, logs, backups, or downstream tooling, making credential compromise significantly more likely in a real agent environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal