Back to skill

Security audit

Npjames Api Design

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only REST API design guide with no executable behavior or hidden data access.

Reasonable to install as an API design reference. Be aware it may be auto-selected for REST API design requests, and treat the displayed bearer token and API key strings as placeholders only.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The default prompt is very broad and closely matches common user requests about REST API design, which increases the chance this skill will be selected in situations where the user did not explicitly intend to invoke it. Over-broad auto-routing can cause prompt-context injection into unrelated conversations and expand the skill's reach beyond narrowly scoped API-design assistance.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Enabling implicit invocation without defined constraints allows the skill to activate automatically based on loose similarity matching rather than explicit user choice. In combination with a generic API-design topic, this increases the risk of unintended invocation, context leakage from unrelated requests, and overbroad influence on assistant behavior.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:302