Back to skill

Security audit

Ai Course Agent

Security checks across malware telemetry and agentic risk

Overview

The course-generation purpose is coherent, but the skill embeds a billing API key, sends Edustem credentials to a hardcoded ngrok endpoint, and can charge SkillPay before generation succeeds.

Only use this skill if you trust the publisher, can verify the Edustem endpoint, and understand the SkillPay charges. Avoid entering real Edustem credentials until the API host is confirmed, and ensure any integration passes a real authenticated user ID rather than relying on the default.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/skillpay.ts:39