Back to skill

Security audit

Keyapi Facebook

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for KeyAPI Facebook lookups, but it needs Review because it persists an API token in shell profile files and includes broad helper capabilities that are under-scoped for the stated public-data use case.

Install only if you are comfortable with the skill storing a KeyAPI bearer token in your shell profile as plaintext. Prefer the interactive setup over --token, review the target profile file after setup, rotate the token if it was exposed in shell history, and avoid using --image-file or --output-file unless you intentionally want to send a local file to KeyAPI or save full API responses on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script persistently modifies the user's shell profile to store KEYAPI_TOKEN, which exceeds the narrow stated purpose of Facebook data retrieval and creates a lasting change to the user's environment. Persisting secrets in startup files increases exposure to accidental disclosure, unintended reuse by unrelated processes, and surprise system state changes the user may not expect from this skill.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The package performs local shell-environment reconfiguration not reflected in the manifest description, so users may invoke a Facebook analysis skill without understanding it will alter their login/profile scripts. This mismatch weakens informed consent and can hide sensitive persistence behavior, especially because the modification stores authentication material for future shells.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script is a generic authenticated API client, not a narrowly scoped read-only Facebook exploration tool. It accepts arbitrary HTTP methods, arbitrary platform-relative paths under /v1/facebook, and arbitrary JSON bodies, which expands capability beyond the declared purpose and could enable unintended state-changing or sensitive operations if the upstream API exposes them.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The rule explicitly encourages saving full API helper results to local files for internal analysis and notes that complete payloads are typically stored under `data.data`, but it does not require any warning, minimization, access control, or cleanup guarantees. In a skill that handles public Facebook data this is lower severity than credentials exposure, but saved payloads can still contain large amounts of user data and metadata that may persist in shared workspaces, logs, or temporary directories longer than intended.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Accepting the bearer token via --token exposes the secret to common leakage channels such as shell history, terminal logging, job control output, and process listings visible to other local users or monitoring tools. Because this is an API credential, disclosure can enable unauthorized use of the user's KeyAPI account until the token is rotated.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes a bearer token into the user's shell profile without an explicit confirmation immediately before modifying the file, causing a sensitive persistent change that may surprise users. This is dangerous because it combines secret persistence with automatic modification of startup files, increasing the chance of accidental disclosure and reducing user control over where credentials are stored.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code can read arbitrary local files via --image-file, base64-encode them, and transmit them to the remote API inside an authenticated request. Because the skill is presented as Facebook data exploration, this file-upload behavior is not obvious from the context and could be abused to exfiltrate local data under the guise of normal API usage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.secret_argv_exposure

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/keyapi-api.mjs:127

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
references/setup-and-auth.md:42