Security audit

Bing Webmaster CLI

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward guide for installing and using a Bing Webmaster CLI, with expected API-key handling and no evidence of hidden or harmful behavior.

Before installing, verify that `bing-webmaster-cli` is the package you intend to trust. Treat the Bing Webmaster API key as a secret, avoid passing it inline on shared systems where shell history or process listings may expose it, prefer environment variables or the interactive prompt when practical, avoid storing credentials on shared machines, run `bwm auth clear` when done, and review any URL batch file before submitting it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill instructs users to place a Bing Webmaster API key in an environment variable or pass it directly on the command line, but it does not warn that this credential is sensitive or note safer handling practices. Command-line arguments can be exposed via shell history and process listings, and local storage guidance without permission or file-mode cautions can lead to inadvertent credential disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.