Security audit

bee-languages-get

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a simple Bee Website Builder API wrapper for reading supported languages, with no evidence of hidden or destructive behavior.

Install only if you trust the Bee Website Builder endpoint and have a valid API key. Treat the API key as a secret: prefer environment variables or a secret store, avoid pasting it into chats or logs, and rotate it if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The documentation states that an API key is required and gives an example that passes it directly, but it does not clearly emphasize that this credential is sensitive or warn against exposing it in logs, prompts, screenshots, or chat transcripts. In agent workflows, users may copy secrets into plaintext inputs, increasing the chance of accidental credential disclosure and subsequent unauthorized API use.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal