Back to skill

Security audit

Super Api

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only API reference, but some copy-paste examples can change or delete real data if run with live credentials.

Install only if you want broad API reference material. Before running any example, confirm the target account and environment, prefer sandbox or test credentials, use scoped tokens, redact personal or customer data, and be especially careful with POST/PUT/PATCH/DELETE, payment, outreach, support, and social-posting examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (13)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document repeatedly instructs users to send prompts, images, audio, and transcripts to third-party AI providers, but it does not warn about privacy, retention, consent, or data-sharing implications. In a skill intended to accelerate integrations across many services, that omission can cause developers to unknowingly route sensitive user data to external processors.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The examples transmit identifiers and personal data such as email, name, distinct_id, and plan to third-party analytics services without any privacy, consent, minimization, or environment-safety warning. In an agent skill, users may copy these patterns directly, which can lead to unauthorized sharing of personal or regulated data into external systems.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The Datadog example documents a state-changing write operation that emits events into an external monitoring system, but it provides no warning that the call changes system state and may create misleading operational records if run blindly. In agent-assisted contexts, lack of caution around mutating examples increases the risk of accidental production changes or noisy telemetry.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Salesforce examples include update and delete operations against live CRM records without any warning that the commands will modify or permanently remove production data. In an agent skill context, users may copy/paste examples directly, making unintended destructive actions more likely, especially because CRM data often contains customer records and business-critical relationships.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The Pipedrive section shows create operations that will write deals and activities into a user's CRM without clearly warning that the examples are state-changing. While not inherently malicious, this can cause accidental data pollution, workflow triggers, or confusion in production environments when examples are executed as-is.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The Attio documentation includes a record-creation example without warning that it will insert data into the workspace. In a skill intended for automation or direct reuse, this increases the chance of accidental writes to production CRM data and downstream process activation.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The Close examples create leads and log activities without disclosing that they alter CRM records and user-visible history. Users following these examples may unintentionally create false sales records or activity logs in production systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Apollo examples include contact creation and adding contacts to sequences, which can trigger downstream outreach or engagement workflows, yet no warning is provided. In a sales automation context, accidental execution may cause unsolicited contact enrollment, operational disruption, or reputational harm.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Outreach section demonstrates creating prospects/accounts and enrolling prospects into sequences without warning that these are live outreach actions. Because sequence enrollment can initiate communication workflows, the absence of warnings materially raises the risk of accidental external contact or unintended campaign activity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Gong examples retrieve calls and transcripts, which may expose sensitive recorded conversations, personal data, or confidential sales information, but no privacy or access-control warning is included. In an agent skill, easy copy/paste access patterns can normalize broad retrieval of sensitive communications without emphasizing least-privilege or compliance obligations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation includes a destructive DELETE example for removing a customer without any adjacent warning that the action is irreversible or may delete live production data. In an API reference skill, users may copy-paste examples directly, so omitting safety guidance materially increases the chance of accidental data loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Reddit example demonstrates the password grant with username and password submission, which is a high-risk pattern because it encourages direct handling of user credentials and may normalize insecure collection or logging of passwords. In an agent-skill context, this is more dangerous because downstream tooling could prompt for or transmit raw credentials instead of using safer OAuth flows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file contains copy-pastable examples that create, search, update, and reply to support records containing customer identifiers such as email addresses and conversation content, but it provides no warning about privacy, least-privilege use, test environments, or production side effects. In a skill meant to guide integrations, this omission increases the chance that users will run examples against live customer data, causing unintended data exposure, modification, or operational impact.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
apis/media.md:207

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
apis/payments.md:423

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
apis/realtime.md:463