tavily-key-generator-proxy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes numerous examples and workflows that require reading, writing, and embedding API keys, bearer tokens, and admin passwords verbatim in config files, curl commands, request headers/bodies, and generated files (api_keys.md / auto-upload), which forces the agent to handle secrets directly and risks exfiltration.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill is explicitly designed to enable deliberate service abuse and quota theft: it automates mass Tavily account creation (Playwright), bypasses bot protections (Capsolver/Turnstile), uses disposable email backends, includes anti‑ban/IP/ throttling guidance, and pools/uploaded keys behind a proxy that masks tokens — all indicating intentional fraudulent use of another service; I found no evidence of hidden backdoor RCE, remote shells, or covert exfiltration in the provided content.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's API Proxy clearly accepts arbitrary external URLs via the /api/extract endpoint (see "API Proxy Usage" in SKILL.md) and is intended to fetch and extract content from those public webpages, so the agent will read and act on untrusted third‑party page content that could contain instructive payloads.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installation steps explicitly require cloning and running code from https://github.com/skernelx/tavily-key-generator.git (git clone ... then python main.py), which fetches remote code that is executed and is a required dependency for the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (low risk: 0.30). The prompt instructs running installers, docker compose, Playwright deps, and includes an nginx/SSL config that would modify system-level files and may require elevated privileges, but it does not explicitly ask the agent to obtain sudo, create users, or bypass security mechanisms, so the risk is present but moderate/limited.