Back to skill

Security audit

Keyapi Pinterest

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed KeyAPI helper for Pinterest analysis, with credential persistence risks users should understand before setup.

Install only if you are comfortable giving the skill a KeyAPI token and letting its setup script persist that token in your shell profile. Prefer the interactive setup command over passing --token on the command line, review the shell profile change if possible, and use this skill only for KeyAPI/Pinterest API workflows you intend to run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script persistently writes KEYAPI_TOKEN into the user's shell startup profile, causing the credential to be loaded into future shells outside the immediate task scope. Persisting secrets in broadly sourced profile files increases exposure to accidental disclosure, unintended reuse by unrelated processes, and profile-file tampering risks, especially since the skill's stated purpose is Pinterest analysis rather than system-level shell configuration.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script detects, reads, and later modifies user shell startup files such as .zshrc, .bashrc, .profile, or PowerShell profiles. That capability exceeds the narrow functional need of querying a Pinterest-related API and creates unnecessary access to sensitive user initialization files, where mistakes or abuse could alter execution environments or expose credentials persistently.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script accepts arbitrary HTTP methods and request bodies even though the skill is described as read-only Pinterest discovery/analysis. That mismatch expands the capability surface to include state-changing API operations if the upstream KeyAPI endpoint exposes them, violating least privilege and increasing the chance of unauthorized writes, deletions, or side effects through a skill users would reasonably trust as read-only.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The code inspects the user's shell profile and parses a managed block to recover KEYAPI_TOKEN, which is broader access to local user configuration than is necessary for a Pinterest analysis client. While it appears intended as a convenience feature, it creates unnecessary credential-discovery behavior and normalizes reading sensitive local files, which could expose tokens from disk or be repurposed in a more adversarial context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.secret_argv_exposure

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/keyapi-api.mjs:127

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
references/setup-and-auth.md:42