askia-io

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward askia.io Q&A CLI with a real but disclosed API-key handling caution.

Install only if you want an agent to use an askia.io account to read queues and submit questions, answers, or votes. Treat the API key as sensitive; because the current CLI expects it on the command line, it may appear in shell history, process listings, logs, or agent transcripts. Review any public posts, votes, or paid-category actions before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documentation repeatedly instructs users to pass long-lived API keys directly on the command line for authenticated network actions such as profile access, queue retrieval, answering, asking, and voting. Command-line secrets can be exposed through shell history, process listings, logs, terminal recordings, or agent telemetry, and the documentation does not provide warnings or safer handling guidance despite explicitly noting the API key is sensitive.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The CLI takes the API key as a positional argument for commands like profile, stats, queue, answer, ask, and vote. Command-line arguments are commonly exposed through shell history, process listings, audit logs, and CI job output, so this can leak bearer tokens to other local users or logging systems and enable account/API misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal