Countdown API

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed read/search integration for Countdown API through OOMOL, with setup cautions but no evidence of hidden or malicious behavior.

Install this only if you trust OOMOL and want your agent to use a connected Countdown API account. Run the oo CLI installer only after reviewing the source/provider, keep the API key scoped appropriately, and watch for billing or quota effects from product searches and account checks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The description says to use this skill for "ANY Countdown API request" and "Whenever a task involves Countdown API," which is very broad and lacks clear boundaries or exclusion conditions. In a manifest/markdown context, this can overlap with many ordinary requests involving the service and does not specify narrower trigger phrases or negative examples.

External Script Fetching

High

Category: Supply Chain
Content: - **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>): ```bash curl -fsSL https://cli.oomol.com/install.sh | bash # macOS / Linux ``` ```powershell
Confidence: 90% confidence
Finding: curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal