UAPI 步骤2 (方法一): 获取加密数据接口

Security checks across malware telemetry and agentic risk

Overview

This is a narrow documentation-only skill for retrieving encrypted Clipzy clipboard data from one disclosed UAPI endpoint, with a routing caution around broad trigger wording.

Install only if you intend your agent to use this Clipzy/UAPI retrieval workflow. Because the skill advertises broad triggers like "get," verify that your agent is calling it only when you explicitly provide a Clipzy/UAPI id, and provide a UAPI Key only when you deliberately want to use your account quota.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill metadata description includes highly generic trigger terms such as "get," which can match many unrelated user requests and cause unintended invocation of this skill. In an agent environment, overly broad routing increases the chance of calling the wrong API, potentially leading to inappropriate data access attempts, confusing behavior, or disclosure of clipboard-related workflow context to an unintended tool.

Vague Triggers

Medium

Confidence: 98% confidence
Finding: The explicit keyword list contains the standalone English trigger "get," which is far too broad for safe skill selection and is likely to activate on ordinary conversation. Because this skill targets encrypted clipboard retrieval, accidental routing is more concerning than for a harmless informational skill: it can steer the agent toward sensitive-data retrieval logic when the user did not intend that action.

Vague Triggers

Medium

Confidence: 97% confidence
Finding: The skill enables implicit invocation with no trigger phrases, scope limits, or other activation constraints, so it may be selected automatically for vague requests such as 'get' or 'api get'. In this context, the skill directly invokes a data-retrieval API for encrypted/shared clipboard content, which increases the risk of unintended access, privacy-impacting calls, or parameter confusion when user intent is ambiguous.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal