Beeminder

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Beeminder API helper, but users should treat the auth token as sensitive and confirm before changing or deleting datapoints.

Install only if you are comfortable letting the agent use a Beeminder auth token. Keep the token out of shared chats, logs, and committed files, and require the agent to show the goal slug, datapoint ID, value, and intended action before any add, update, or delete request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs users to set a long-lived personal auth token and then demonstrates data-modifying API calls, but it does not warn about protecting the token from shell history, process listings, logs, or accidental disclosure. It also does not clearly warn that later examples can create, update, or delete Beeminder data, which can lead to unintended account changes if copied blindly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal