Back to skill

Security audit

Nishare Api

Security checks across malware telemetry and agentic risk

Overview

This skill is a purpose-built Nishare publishing helper; its external sharing and authentication behavior is disclosed and aligned with that purpose, though users should be careful not to publish sensitive content or expose API keys.

Install only if you intend agents to publish content to Nishare. Review generated payloads before publishing, avoid uploading secrets or private documents unless you mean to share them, and store Nishare credentials in environment variables or a secret manager rather than pasting real keys into prompts or command examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly guides an agent to send AI-generated content to an external service, including authenticated publishing and updating, but it does not instruct the agent to obtain explicit user consent or warn that data will leave the current environment. This creates a real risk of unintended disclosure of sensitive prompts, generated documents, images, or account-scoped content to Nishare.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The reference explicitly states that anonymous publishing is allowed and describes authenticated sharing and workspace targeting, but it does not warn users that published AI-generated HTML, markdown, or images may become accessible through share links and could expose sensitive data. In this skill context, the omission is more dangerous because the skill is specifically designed to help agents publish generated content automatically, increasing the chance of unintentional disclosure.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The examples include API keys directly in headers using placeholder values, but do not provide any guidance on secure credential handling such as using environment variables, secret stores, or avoiding shell history/log leakage. In an agent skill that generates curl commands for end users, this can normalize unsafe copy-paste practices and increase accidental credential exposure.

External Transmission

Medium
Category
Data Exfiltration
Content
---
name: nishare-api
description: Use when the user wants to publish, update, or explain how to publish AI-generated HTML, image, or document content to Nishare via its API, needs curl examples, API-Key/Bearer authentication, 工作组 targeting, payload validation rules, or wants an agent prompt that returns a Nishare shareUrl.
metadata:
  short-description: Publish and update Nishare shares
---
Confidence
88% confidence
Finding
curl examples, API-Key/Bearer authentication, 工作组 targeting, payload validation rules, or wants an agent prompt that returns a Nishare shareUrl. metadata: short-description: Publish and update Nisha

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.