Back to skill

Security audit

UDeals

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward membership-benefits lookup helper that calls a disclosed external API and does not install code, persist data, or request privileged access.

Before installing, understand that benefit searches and filter terms may be sent to the UDeals API. Use general search terms such as platform names or benefit categories, and avoid entering private account, travel, purchase, or membership details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to make live requests to an external third-party API and to use user-provided query terms for those requests, but it provides no warning that user input may be transmitted off-platform. This creates a data disclosure risk because users may ask personalized questions or include sensitive membership, travel, or purchase-related details that are then sent to the external service without informed consent.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.