InvestLog AI

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a normal API integration, but its setup guidance handles an API key in an unsafe way that could expose the credential.

Install only if you are comfortable correcting or avoiding the query-string API key pattern. Prefer an Authorization or dedicated API-key header, rotate any key that was placed in a URL, and avoid using high-privilege or billing-sensitive keys until the guidance is fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill explicitly instructs users to pass the API key as a URL query parameter, which can expose the secret in browser history, logs, proxy/server access logs, referrer headers, and telemetry systems. Even though this is 'just' a setup instruction, it creates a real credential-handling weakness that can lead to unauthorized API use if the key is captured.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal