heimaosearch

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward event-planning search integration, but it sends your search text and Heimaohui API credentials to Heimaohui's API.

Install only if you trust Heimaohui to receive your event-planning searches, account identifier, and API key. Prefer a dedicated or limited-scope API key if available, and avoid sending confidential planning details unless that service is approved for that data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs the agent to send the user's account, API key, and query content to a third-party endpoint without any explicit user warning or consent flow. This creates a real risk of inadvertent credential and data disclosure to an external service, especially because the skill says the tool 'must' be used for a broad class of queries.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill sends both the user's account identifier and open API key to an external service, but the manifest does not clearly disclose this credential transmission or warn the user that secrets are being forwarded off-platform. Because these values are authentication material, the lack of explicit disclosure and minimization increases the risk of unintended credential exposure or overbroad trust in the third-party endpoint.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal