daily.dev Ask

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed daily.dev search helper whose main caution is that it uses a daily.dev API token from the user's environment or secret store.

Install only if you trust daily.dev and are comfortable letting the agent use a daily.dev API token. Prefer a dedicated, revocable token, verify requests go only to api.daily.dev, and avoid sending private code or sensitive questions unless you intend to share them with that service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill instructs the agent to retrieve a bearer token from environment variables and OS credential stores, which expands the agent's capability from answering questions into accessing local secrets. Although the token is intended for the daily.dev API, granting the skill secret-access behavior is risky because any prompt injection, logging, error handling, or future modification could expose the token or normalize unnecessary credential access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal