Back to skill

Security audit

raycast

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Raycast extension skill whose powerful API references are disclosed and purpose-aligned, though users should handle browser, clipboard, preference, and telemetry examples carefully.

Installers can treat this as a benign Raycast API reference skill. When using it to generate extensions, review any code that reads browser content, enumerates tabs, accesses clipboard or preferences, stores OAuth tokens, writes files, deletes files, or reports exceptions; require explicit user intent, minimize collected data, redact secrets before logging or telemetry, and use Raycast confirmations for destructive or externally visible actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation demonstrates fetching full browser tab content and copying it to the clipboard, which can include sensitive information from the active page such as personal data, internal documents, or session-related content. Because this is an API reference with a copy-pasteable example and no warning about consent, data sensitivity, or destination handling, it normalizes potentially unsafe use of highly sensitive browser data.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation presents enumeration of open browser tabs without warning that URLs, titles, and favicons reveal sensitive browsing metadata, including internal systems, identities, and work context. In an extension-building skill, this omission is risky because developers may treat tab listing as harmless utility data and expose or store it without adequate user awareness or minimization.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example uses `console.log(preferences)`, which can print all configured preferences, including `password`-type values documented in the same file. In a developer-facing API reference, this creates a risky usage pattern because readers may copy the snippet into real extensions and inadvertently expose secrets in logs, debugging output, or shared diagnostics.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly states that exceptions are reported to the Developer Hub but does not warn users or extension authors that exception objects may contain sensitive data such as file paths, URLs, tokens, or user content. In an API reference used as a primary source of truth, this omission can lead developers to instrument telemetry without sanitization or disclosure, creating privacy leakage risk across many extensions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.