SimpleHttpSkill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward HTTP client skill that can send user-directed requests, including authenticated or state-changing ones, but the artifacts do not show hidden data access, persistence, or deception.

Install this only if you want an agent to make general HTTP/API requests. Verify destination URLs and methods before use, avoid sending secrets or personal data unless the endpoint is trusted, use scoped temporary tokens, and require explicit confirmation before POST, PUT, PATCH, or DELETE requests against real systems.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly enables arbitrary outbound HTTP requests, custom headers, and webhook/API calls, but the documentation provides no safety guidance about sending secrets, personal data, or internal-only information to external services. In an agent setting, this omission increases the risk of unintended data exfiltration because users or downstream workflows may pass sensitive content directly into requests.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The example normalizes use of an Authorization bearer token in headers without any adjacent guidance on credential handling, storage, logging, or destination trust. This can encourage unsafe copying of real tokens into requests and raises the likelihood of credential leakage to untrusted or mistyped endpoints.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal