Motie CLI

Security checks across malware telemetry and agentic risk

Overview

This skill is a plausible Motie API helper, but it gives an agent broad authority to discover and call third-party APIs without clear user-approval limits.

Review before installing. Verify the npm package and publisher, use a scoped or easily revocable Motie API key, avoid passing secrets or unnecessary personal data, and require explicit approval before any API call that costs money, changes account or real-world state, posts content, scrapes sensitive sites, or sends personal information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The activation text is very broad: it says to use the skill for nearly any task involving APIs or whenever Motie is mentioned. Overbroad triggers can cause inappropriate auto-invocation, increasing the chance the agent routes ordinary requests through an external marketplace tool unnecessarily and exposes user intent or data to third-party services.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The instruction to use the skill whenever an external API is needed is ambiguous and expansive, effectively making this skill a default pathway for a wide range of tasks. In practice, that can bypass safer built-in capabilities, trigger unnecessary third-party lookups, and create opportunities for data leakage or unreviewed API usage based on weak matching.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal