Security audit

Skillboss

Security checks across malware telemetry and agentic risk

Overview

SkillBoss is a coherent remote API gateway, but it gives agents broad live email, SMS, OTP, document, and audio-processing powers without enough consent or privacy guardrails.

Install only if you trust SkillBoss as a broad remote gateway and can control use of the API key. Use restricted or budget-limited credentials where possible, avoid confidential documents or recordings unless authorized, and require explicit human review before any email, SMS, OTP, or batch communication is sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (11)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents email and SMS/OTP actions that send recipient addresses, phone numbers, message contents, and verification data to an external API, but it does not warn the user that this causes third-party transmission of potentially sensitive personal data. In an agent setting, this can lead to privacy violations or unintended outbound communications because the skill normalizes high-impact actions without disclosure or consent guidance.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document processing section instructs users to provide a document URL to an external parsing/extraction service without warning that the document contents may be fetched, uploaded, and processed by third parties. If agents use this on confidential files, sensitive business or personal data could be exposed outside the local trust boundary.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The image generation example downloads a remote URL returned by the service and writes it to a local file, but it does not warn that this modifies the filesystem and trusts remote content. In agent workflows, silent file writes can overwrite data, store untrusted content locally, or create artifacts without user awareness.

External Transmission

Medium

Category: Data Exfiltration
Content: ## Speech-to-Text ```bash curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 79% confidence
Finding: curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "openai/whisper-1", "inputs": {"au

External Transmission

Medium

Category: Data Exfiltration
Content: ## Email ```bash curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 94% confidence
Finding: curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "email/send", "inputs": {"to": "us

External Transmission

Medium

Category: Data Exfiltration
Content: Save to file: ```bash URL=$(curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{"model": "mm/img", "inputs": {"prompt": "A sunset over mountains"}}' \
Confidence: 76% confidence
Finding: https://api.heybossai.com/

External Transmission

Medium

Category: Data Exfiltration
Content: ## Speech-to-Text ```bash curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 79% confidence
Finding: https://api.heybossai.com/

External Transmission

Medium

Category: Data Exfiltration
Content: ## Document Processing ```bash curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 91% confidence
Finding: https://api.heybossai.com/

External Transmission

Medium

Category: Data Exfiltration
Content: ## Email ```bash curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 94% confidence
Finding: https://api.heybossai.com/

External Transmission

Medium

Category: Data Exfiltration
Content: Send OTP: ```bash curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 93% confidence
Finding: https://api.heybossai.com/

External Transmission

Medium

Category: Data Exfiltration
Content: Verify OTP: ```bash curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 90% confidence
Finding: https://api.heybossai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal