WebSim API

Security checks across malware telemetry and agentic risk

Overview

This is a mostly read-only WebSim API reference skill with one clearly disclosed, user-requested authenticated comment-posting endpoint.

Safe to use for public WebSim lookups. Only provide a WebSim Bearer token when you intend to post a comment, and require the agent to show the exact project, reply target, and comment text before sending it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs use of an Authorization Bearer token for posting comments to an external service but does not clearly warn that the user's credential will be transmitted off-platform. In an agent setting, that omission can lead users or downstream systems to provide sensitive tokens without informed consent, increasing the risk of credential exposure, misuse, or posting actions performed under the user's identity.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal