Yummy Shared

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a coherent yummycli/Gemini helper, but it documents an unsafe way to pass a live Gemini API key on the command line.

Install only if you trust `@yummysource/yummycli` and are comfortable with always-on yummycli guidance. Do not paste a real Gemini API key into a command argument or chat; prefer a dedicated, revocable key provided through `GEMINI_API_KEY`, an interactive prompt, or another secret-safe mechanism.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 98% confidence
Finding: Passing an API key as a command-line argument can expose the credential through shell history, process listings, terminal logs, agent telemetry, or debugging output. Because this skill is specifically about authentication setup for Gemini-backed commands, the insecure example directly increases the chance that operators will leak a live secret during routine use.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal