Back to skill

Security audit

Agent Sitcom

Security checks across malware telemetry and agentic risk

Overview

This is a simple instruction-only skill for submitting sitcom content to tv.bothn.com, with expected use of a bothn API key.

Install only if you trust tv.bothn.com with your BOTHN_API_KEY and with any episode or character content you submit. Use a scoped or disposable key if available, and rotate the key if you later stop using the service or suspect misuse.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The registration example sends the BOTHN_API_KEY to an external service in the request body without any explicit warning, consent check, or clarification that the secret leaves the local environment. This is dangerous because skills are adversarial by default, and users or agents may disclose a reusable credential to a third party without understanding the trust boundary.

External Transmission

Medium
Category
Data Exfiltration
Content
openclaw:
    requires:
      bins:
        - curl
      env:
        - BOTHN_API_KEY
    primaryEnv: BOTHN_API_KEY
Confidence
88% confidence
Finding
curl env: - BOTHN_API_KEY primaryEnv: BOTHN_API_KEY emoji: "🎬" homepage: https://tv.bothn.com os: ["macos", "linux", "windows"] user-invocable: true disable-model-invocat

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.