Back to skill

Security audit

Keyapi Threads

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real KeyAPI Threads helper, but it needs Review because it stores API credentials persistently in shell startup files and exposes broad live API request capability.

Review before installing if you are not comfortable with a skill storing a KeyAPI token in your shell profile. Prefer a current-session KEYAPI_TOKEN or a dedicated secret store, avoid passing real tokens through --token in shared shells, and inspect/remove the managed keyapi-skills block if you uninstall or rotate credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script persistently modifies the user's shell startup profile to install authentication state, which exceeds the stated Threads discovery/analysis function and creates a side effect outside normal API usage. Even if intended for convenience, writing to login profiles can unexpectedly alter user environments, survive beyond the current session, and create opportunities for secret exposure or unintended command execution paths if the profile is later shared or inspected.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script writes the API token into persistent shell profile files in plaintext, causing long-lived credential storage in a location that may be broadly readable by local tools, backups, sync services, or accidental sharing. This is not required for a content-analysis skill and increases the blast radius of token compromise because the secret is automatically loaded into future shells.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script exposes broad request-construction primitives such as arbitrary method, path/endpoint, query, body, and output controls, which substantially exceed a narrowly described read-only Threads discovery skill. Even though path scope is partially constrained to /v1/threads, this still enables writes or unintended API actions if the backend supports mutating Threads-related endpoints now or in the future, creating a capability mismatch that can be abused by prompts or downstream agents.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads the user's shell profile and parses a managed block to recover KEYAPI_TOKEN, which goes beyond the stated purpose of analyzing Threads content and accesses unrelated local configuration data. Accessing shell startup files increases exposure of sensitive local environment details and normalizes secret harvesting behavior inside a skill, especially risky in an agent context where users may not expect local profile inspection.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes credential-bearing content to the detected profile path immediately, without an interactive confirmation showing the file being changed or warning about persistence. This makes accidental modification of sensitive startup files more likely and can silently introduce durable authentication state into environments where the user did not intend permanent storage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.secret_argv_exposure

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/keyapi-api.mjs:127

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
references/setup-and-auth.md:42