SiliconFlow API

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is a straightforward SiliconFlow media-generation helper, with the main caution that it stores your API key locally and sends selected prompts/media to SiliconFlow.

Install only if you are comfortable using a SiliconFlow API key with this skill and sending your prompts, text, and selected image files to SiliconFlow. Treat .sf-config.json as sensitive, restrict its permissions or delete it when finished, and avoid using private images or confidential text unless you trust the provider and account setup.

SkillSpector (1)

By NVIDIA

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The setup command writes the API key to a local JSON file in plaintext without warning the user or applying restrictive permissions. This creates a real credential exposure risk on shared systems, in backups, or if the workspace is later committed or copied.

Static analysis

Potential exfiltration

Critical

Finding: Shell script base64-encodes a local file and sends it over the network.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal