api-designer

Security checks across malware telemetry and agentic risk

Overview

This is an API design helper made of Markdown instructions and examples; its credential-related examples are relevant to the purpose but should be reviewed before production use.

Reasonable to install as an API design assistant. Do not paste production secrets into prompts, and treat generated SDK authentication code as a starting point: add retry limits, token-refresh preconditions, idempotency protections for state-changing requests, and secure secret storage before production use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The generated client class includes live authentication header handling and automatic retry behavior after 401 responses, including a placeholder token refresh flow. This is dangerous because consumers may copy the pattern into production with incomplete refresh logic, causing insecure token handling, unintended request replay, or retry loops against authenticated endpoints.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The example silently injects API keys and bearer tokens into outbound HTTP headers and configures a client for network transmission without any warning about secret handling. In a skill framed as API design, this is risky because users may not expect executable credential-using client behavior and may adopt insecure patterns for secret propagation and logging.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal