Back to skill

Security audit

rapidapi

Security checks across malware telemetry and agentic risk

Overview

This RapidAPI skill is mostly transparent, but its default settings can send the user's RapidAPI key to caller-chosen non-RapidAPI hosts.

Review before installing. Use this only with trusted callers and templates, set ALLOW_NON_RAPIDAPI_HOSTS=false unless you explicitly need other hosts, avoid unreviewed direct calls, and treat RAPIDAPI_KEY as a paid-service secret that may need rotation if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises a template-driven RapidAPI client but also exposes a universal direct-call function that forwards attacker-controlled request parameters to the network layer. In this context, that bypasses the action registry and any template-level restrictions, enabling arbitrary outbound requests and turning the skill into a general HTTP proxy when combined with permissive host settings.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code explicitly allows non-RapidAPI hosts by default via `ALLOW_NON_RAPIDAPI_HOSTS || "true"`, which materially expands the network trust boundary beyond the stated RapidAPI-specific purpose. This makes the skill capable of reaching arbitrary external services, increasing SSRF/proxy abuse risk and undermining assumptions that requests are constrained to RapidAPI endpoints.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill encourages direct and template-driven RapidAPI calls but does not warn users that inputs may be transmitted to external third-party APIs. In this context, the universal call entrypoint and support for social data APIs increase the chance that sensitive identifiers, prompts, or personal data could be sent off-platform without informed user consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
`callRapidApiDirect` accepts arbitrary `input` and passes it to the request engine without any visible validation, disclosure, or user-safety guardrails. In a skill ecosystem, this effectively provides a generic outbound request primitive that can be abused to contact unintended services, send attacker-chosen headers/body data, and bypass the curated action interface.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.