Back to skill
Skillv1.1.1
VirusTotal security
Protagons · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
BenignApr 30, 2026, 5:16 AM
- Hash
- b15bc7a44853fbce0d48908e9f7f0dd658cba5a5052f102acda9816377f79004
- Source
- palm
- Verdict
- benign
- Code Insight
- Package: (mcp) Version: 1.1.0 Description: Browse, search, deploy, and generate Protagon AI character identities. Deploy loads a rich SOUL.md personality for the agent to adopt. The package provides tools for interacting with the Protagons API to browse, search, deploy, and generate AI character identities. All network communication is performed over HTTPS to the declared `api.usaw.ai` endpoint. Input parameters for API calls are properly encoded using `URLSearchParams` or `encodeURIComponent`, mitigating URL injection or path traversal risks. The package does not perform any local file system operations or execute system commands. The most significant security consideration is the `protagons_generate` function, which requires and transmits a user-provided `google_api_key` to the `api.usaw.ai` backend. The package documentation (`SKILL.md`, `config.json`) is transparent about this, stating the key is used for a single server-side Gemini call and is not stored. While sending a user's API key to a third-party service always carries an inherent trust risk, the explicit disclosure and recommendation to use scoped or throwaway keys mitigate this concern. The code correctly handles this transmission over HTTPS within a JSON body. No other sensitive data is handled or transmitted in an insecure manner. The package's logic aligns with its stated purpose and transparently communicates its external dependencies and credential handling.
- External report
- View on VirusTotal