Swiss Phone Directory

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Swiss phone-directory lookup tool that uses a disclosed search.ch API key and sends user-entered lookup queries to search.ch.

Before installing, use a dedicated search.ch API key, avoid committing it to dotfiles or shared gateway configs, and prefer a temporary environment variable or secret manager where practical. Only search for names, phone numbers, or locations you are comfortable sending to search.ch, and be aware that the documented command path may need adjustment from scripts/searchch.py to searchch.py.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation recommends storing a long-lived API key in shell profile files such as ~/.bashrc and ~/.zshrc, which can increase the chance of credential exposure through backups, dotfile syncing, shared accounts, or accidental disclosure. While this is common setup guidance and not malicious, it omits safer handling guidance and persistence tradeoffs for secrets.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal