GoodVerify

Security checks across malware telemetry and agentic risk

Overview

The skill matches its contact-verification purpose, but it uses an unverified remote installer and weak API-key handling that users should review before installing.

Install only if you trust GoodVerify and the referenced CLI source. Prefer a pinned release or verified installer instead of curl | sh, use the least-privileged API key that supports your task, avoid sharing secrets in chat, and submit only contact or address data you are authorized to send to GoodVerify.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly tells the agent to ask the user for an API key and pass it on the command line via `goodverify configure --key <api_key>`, but provides no safeguards for secrets handling. This is dangerous because API keys may be exposed in chat logs, shell history, process listings, or agent telemetry, enabling unauthorized access to the user's external account.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill routes emails, phone numbers, and physical addresses to a third-party verification API but does not disclose that this may transmit sensitive personal data خارج the local environment. That omission can cause privacy, compliance, and consent issues, especially for bulk verification or owner-enrichment features that may involve regulated or personal information.

External Script Fetching

Low

Category: Supply Chain
Content: If not installed: ```bash curl -fsSL https://raw.githubusercontent.com/agoodway/goodverify_cli/main/install.sh | sh ``` If not configured, ask the user for their API key and base URL, then:
Confidence: 98% confidence
Finding: curl -fsSL https://raw.githubusercontent.com/agoodway/goodverify_cli/main/install.sh | sh

Chaining Abuse

High

Category: Tool Misuse
Content: If not installed: ```bash curl -fsSL https://raw.githubusercontent.com/agoodway/goodverify_cli/main/install.sh | sh ``` If not configured, ask the user for their API key and base URL, then:
Confidence: 99% confidence
Finding: | sh

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal