claude

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill shows users how to route Claude API requests through RunAPI, with expected third-party data sharing but no hidden code or persistence.

Install only if you are comfortable sending Claude prompts, public image URLs, tool-search requests, and a RunAPI API key to RunAPI. Avoid secrets, regulated data, private internal URLs, or sensitive reasoning output unless your organization has approved that provider and its logging and retention practices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs users to send prompts and API keys to an external service and later states that image URLs must be publicly fetchable, but it provides no warning that user content, credentials, and referenced media are transmitted off-platform. In a skill that brokers LLM calls, this omission can cause unintentional disclosure of sensitive prompts or private images to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal