PropAI Sync

Security checks across malware telemetry and agentic risk

Overview

This appears to be a deployment-validation skill with purpose-aligned API checks, but users should avoid saving generated API keys in handoff notes or logs.

Install only if you intend to validate that deployment. Treat any bootstrap API key as sensitive, do not put it in HANDOFF.md, terminal logs, screenshots, or shared CI output, and rotate or revoke the test key after validation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the operator to obtain an API key from `/api/auth/bootstrap`, reuse it against `/api/users/me`, and log endpoint results in `HANDOFF.md`, but it provides no guardrails against exposing that credential in terminal output, shell history, CI logs, or handoff notes. In a deployment-validation workflow, this context makes the issue more dangerous because the key is generated from a live hosted environment and could grant real access if accidentally persisted or shared.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal