anthropic api

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Anthropic API usage skill with expected external API and API-key handling, but users should be careful not to send sensitive chats or images unnecessarily.

Install only if you intend to use Anthropic’s API. Keep the API key in environment variables, do not paste secrets into prompts, and review or redact sensitive conversations, screenshots, documents, PII, PHI, financial, or internal business data before sending them to a third-party model provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The recipe explicitly recommends sending the full conversation history to an external API and trimming only for cost, but it omits any warning about sensitive data exposure, minimization, retention, or consent. In practice, this can lead users to transmit secrets, personal data, or internal business information unnecessarily, increasing privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The recipe instructs users to send images via base64 or external URL for third-party analysis, but it omits any warning that image contents may contain sensitive personal, corporate, or regulated data. This can lead to unintentional data disclosure, especially because screenshots, charts, and documents often include secrets, PII, or internal business information that users may not realize they are transmitting.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal