Back to skill

Security audit

Tally

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tally API helper; it uses a local Tally API key to read and update Tally forms, which is sensitive but disclosed and aligned with its purpose.

Install this only if you want your agent to use your Tally API key to list, read, and update Tally forms and potentially access submissions. Confirm form IDs and JSON payloads before updates, prefer a dedicated least-privilege key, and treat downloaded submissions or backup files as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

External Transmission

Medium
Category
Data Exfiltration
Content
TALLY_KEY=$(cat ~/.config/tally/api_key)

# Backup first
curl -s "https://api.tally.so/forms/{ID}" \
  -H "Authorization: Bearer $TALLY_KEY" > /tmp/backup.json

# Update
Confidence
84% confidence
Finding
curl -s "https://api.tally.so/forms/{ID}" \ -H "Authorization: Bearer $TALLY_KEY" > /tmp/backup.json # Update curl -s "https://api.tally.so/forms/{ID}" \ -X PATCH \ -H "Authorization: Bearer $T

External Transmission

Medium
Category
Data Exfiltration
Content
TALLY_KEY=$(cat ~/.config/tally/api_key)

# Backup first
curl -s "https://api.tally.so/forms/{ID}" \
  -H "Authorization: Bearer $TALLY_KEY" > /tmp/backup.json

# Update
Confidence
84% confidence
Finding
https://api.tally.so/

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $TALLY_KEY" > /tmp/backup.json

# Update
curl -s "https://api.tally.so/forms/{ID}" \
  -X PATCH \
  -H "Authorization: Bearer $TALLY_KEY" \
  -H "Content-Type: application/json" \
Confidence
89% confidence
Finding
https://api.tally.so/

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.