Balzac

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Balzac CLI guide whose API key, workspace, content generation, and publishing behavior match its stated purpose.

Install only if you trust the balzac-cli npm package and intend to let an agent use your Balzac account. Prefer a secure environment variable or secret manager for BALZAC_API_KEY instead of putting keys directly in shell commands, and require explicit confirmation before spending credits, deleting resources, changing settings, rewriting articles, or publishing to live integrations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs users to authenticate with an API key, create workspaces from domains, and publish content to third-party platforms without warning that site data, generated content, and connected publishing credentials will be transmitted to external services. In a security-sensitive agent context, omission of these disclosures can lead users to expose proprietary content or grant broad CMS access without informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal