Security audit

Useclick Link Shortening Analytics

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only UseClick API helper whose credential and link-management guidance is expected for its purpose, though users should handle API keys carefully.

Install if you intend to use UseClick API workflows. Store the UseClick API key in an environment variable or secret manager, avoid pasting real tokens into chat or logs, and explicitly confirm any update or delete action because it can change links or remove analytics in your UseClick account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly tells users to authenticate with a live bearer token (`uc_live_...`) but does not include any guidance on secure secret handling, such as storing API keys in environment variables, redacting them from logs, or avoiding hardcoding in prompts and source files. In an agent or automation context, this omission increases the chance that a real production credential will be pasted into chat, embedded in code, or exposed through logging and telemetry.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal