Youdo Business

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only YouDo Business API reference; it covers sensitive business actions, but those actions are disclosed and fit the stated purpose.

Install only if you want an agent to help with YouDo Business API operations. Use least-privilege credentials, avoid exposing private keys or JWTs in prompts/logs, prefer sandbox testing, verify IDs, amounts, and webhook URLs, and require explicit confirmation before payments, invoices, employee/project changes, agreement changes, document access, or webhook modifications.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill includes detailed instructions for JWT authentication and RS256 request signing, including issuer/company identifiers and signed payment flows, but provides no warning about protecting private keys, bearer tokens, or sensitive company/account data sent to the external API. In an agent setting, this can encourage unsafe handling of credentials or inadvertent transmission of secrets and business data without user awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal