Sixtyfour Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Sixtyfour API reference skill for people and company enrichment, but it can handle sensitive contact data and should be used carefully.

Install only if you intend to let an agent use Sixtyfour for people or company enrichment. Protect the API key, confirm a lawful and authorized basis before looking up personal emails or phone numbers, avoid uploading confidential or unnecessary CSV fields, require explicit approval for paid, bulk, workflow, or webhook actions, and review the optional sixtyfour-mcp package separately before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (19)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README explicitly promotes gathering personal and company intelligence, including emails, phone numbers, and other profile data, but provides no privacy, consent, acceptable-use, or data-handling guidance. In a skill intended for agent automation, this omission increases the risk of misuse for surveillance, scraping, or unauthorized contact enrichment at scale.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill prominently supports discovery of personal emails and phone numbers but does not warn users that these are privacy-sensitive data elements subject to legal, policy, and consent constraints. That omission can lead users to collect or process personal contact data in ways that violate privacy expectations or regulatory requirements.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill sends user-provided lead, company, and search data to a third-party API, but the description does not prominently disclose that external transmission occurs. This can cause inadvertent exfiltration of sensitive business or personal information to an external processor without informed user consent or appropriate data handling review.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The reference documents transmission of lead, company, and webhook payload data to an external service, including potentially sensitive personal and business information, but provides no warning, consent guidance, data-classification notes, or privacy handling requirements. In a people-intelligence skill, that omission materially increases the risk of users sending regulated or confidential data off-platform without understanding the exposure.

External Transmission

Medium

Category: Data Exfiltration
Content: ### Endpoint ``` POST https://api.sixtyfour.ai/enrich-lead (sync, timeout 15min) POST https://api.sixtyfour.ai/enrich-lead-async (async, returns task_id) ```
Confidence: 87% confidence
Finding: https://api.sixtyfour.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Endpoint ``` POST https://api.sixtyfour.ai/enrich-lead (sync, timeout 15min) POST https://api.sixtyfour.ai/enrich-lead-async (async, returns task_id) ``` ### Request Body
Confidence: 87% confidence
Finding: https://api.sixtyfour.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Endpoint ``` POST https://api.sixtyfour.ai/enrich-company (sync) POST https://api.sixtyfour.ai/enrich-company-async (async) ```
Confidence: 87% confidence
Finding: https://api.sixtyfour.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Endpoint ``` POST https://api.sixtyfour.ai/enrich-company (sync) POST https://api.sixtyfour.ai/enrich-company-async (async) ``` ### Request Body
Confidence: 87% confidence
Finding: https://api.sixtyfour.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Endpoint ``` POST https://api.sixtyfour.ai/find-email POST https://api.sixtyfour.ai/find-email-async POST https://api.sixtyfour.ai/find-email-bulk-async (up to 100 leads) ```
Confidence: 93% confidence
Finding: https://api.sixtyfour.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Endpoint ``` POST https://api.sixtyfour.ai/find-email POST https://api.sixtyfour.ai/find-email-async POST https://api.sixtyfour.ai/find-email-bulk-async (up to 100 leads) ```
Confidence: 93% confidence
Finding: https://api.sixtyfour.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ``` POST https://api.sixtyfour.ai/find-email POST https://api.sixtyfour.ai/find-email-async POST https://api.sixtyfour.ai/find-email-bulk-async (up to 100 leads) ``` ### Request Body
Confidence: 94% confidence
Finding: https://api.sixtyfour.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Endpoint ``` POST https://api.sixtyfour.ai/find-phone POST https://api.sixtyfour.ai/find-phone-async POST https://api.sixtyfour.ai/find-phone-bulk-async (up to 100 leads) ```
Confidence: 93% confidence
Finding: https://api.sixtyfour.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Endpoint ``` POST https://api.sixtyfour.ai/find-phone POST https://api.sixtyfour.ai/find-phone-async POST https://api.sixtyfour.ai/find-phone-bulk-async (up to 100 leads) ```
Confidence: 93% confidence
Finding: https://api.sixtyfour.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ``` POST https://api.sixtyfour.ai/find-phone POST https://api.sixtyfour.ai/find-phone-async POST https://api.sixtyfour.ai/find-phone-bulk-async (up to 100 leads) ``` ### Bulk via DataFrame
Confidence: 94% confidence
Finding: https://api.sixtyfour.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Bulk via DataFrame ``` POST https://api.sixtyfour.ai/enrich-dataframe {"csv_data": "name,company\nJohn,Acme", "enrichment_type": "phone"} ```
Confidence: 95% confidence
Finding: https://api.sixtyfour.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Endpoint ``` POST https://api.sixtyfour.ai/qa-agent POST https://api.sixtyfour.ai/qa-agent-async ```
Confidence: 86% confidence
Finding: https://api.sixtyfour.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Endpoint ``` POST https://api.sixtyfour.ai/qa-agent POST https://api.sixtyfour.ai/qa-agent-async ``` ### Request Body
Confidence: 86% confidence
Finding: https://api.sixtyfour.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Start Search ``` POST https://api.sixtyfour.ai/search/start-deep-search {"query": "...", "mode": "people", "max_results": 1000} ``` Returns: `{"task_id": "...", "status": "queued"}`
Confidence: 84% confidence
Finding: https://api.sixtyfour.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ### Download Results ``` GET https://api.sixtyfour.ai/search/download?resource_handle_id={id} ``` Returns signed URL (expires 15 min). Results in CSV format.
Confidence: 82% confidence
Finding: https://api.sixtyfour.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal