Sano Intel · 探针资本

Security checks across malware telemetry and agentic risk

Overview

The skill matches its healthcare data lookup purpose, but it asks users to send an API token over plain HTTP to a raw IP address.

Install only if you trust the publisher and accept the token exposure risk. Prefer an HTTPS endpoint, use a scoped and revocable token, avoid storing valuable tokens in shell startup files, and rotate the token if it has already been used over this HTTP endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs users to send an API token in the X-API-Key header to an HTTP endpoint (not HTTPS). That exposes the credential to interception by network attackers, proxies, or logs, and the document provides no warning or safer alternative despite explicitly handling a secret.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal