Pulse Editor Vibe Coding APIs

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed Pulse Editor cloud API integration, but users should understand it can send prompts to Pulse Editor and publish or update live apps.

Before installing, verify that you trust Pulse Editor and the skill publisher, provide the API key through an environment variable or credential manager, avoid putting secrets or regulated data in prompts, and explicitly confirm any request that will update an existing app or publish a live app.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The overview emphasizes convenience but does not prominently warn that user prompts and app-generation data are transmitted to a third-party cloud service and that generated apps may be automatically published. This can cause unintentional disclosure of sensitive data or accidental public deployment when users believe processing is local or non-publishing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal