Back to skill

Security audit

Red Note Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple external AI content-generation wrapper that discloses its API key and network endpoint, with privacy cautions users should consider.

Install only if you trust wsdsocial.com with the topics and style requests you submit. Do not include secrets, private personal data, regulated content, or unpublished business-sensitive material in prompts, and rotate the API key if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to place an API key in an environment variable and send requests, including user-provided content, to a third-party endpoint without any warning about credential sensitivity, external data transmission, logging, retention, or trust boundaries. This creates a real security and privacy risk because users may unknowingly expose secrets or sensitive prompts to an external service outside their control.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.