Security audit

APITester Agent-Driven API Testing

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward API testing skill that sends user-configured HTTP requests, with no hidden execution, persistence, or credential-stealing behavior found.

Install only if you are comfortable with the agent sending real HTTP requests to APIs you specify. Prefer staging or test accounts, review POST/PUT/PATCH/DELETE tests before running them against production, and avoid putting real secrets or personal data into test headers or bodies unless necessary.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly promotes testing across dev, staging, and prod and includes a state-changing POST example, but it does not clearly warn that running these tests can create, update, or otherwise modify remote systems. In an agent-driven testing tool, this omission is more dangerous because users may execute plain-English or YAML-defined tests against production with reduced scrutiny, increasing the chance of unintended writes or disruptive actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal