100Critical
This skill facilitates SSRF and data exfiltration by allowing unvalidated user input in network requests, exposes sensitive environment variables, uses insecure CORS policies, and lacks necessary security capability declarations.
Skill Info
Nameexpo/skills/expo-api-routes
Registrygithub
Versionb553ae4e1755
PURLpkg:github/expo/skills@b553ae4e1755?skill=expo-api-routes
Stars2,086
Installs33,900
Source
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
GitHub
33,900 installs
Skills.shDocs
npx skills add https://github.com/expo/skillsAssessments (4)
AI Agent Traps ↗HTTP exfiltration with embedded environment variables detectedcriticaldata exfiltrationAML.T0025AML.T0024LLM02:2025
HTTP exfiltration with embedded environment variables detected
100% confidenceline 353
https://api.weather.com/v1/current?city=${city}&key=${process.env.WEATHER_API_KEYInsecure Proxy Pattern Encouragementhighsocial engineeringAML.T0052.000LLM09:2025
The skill provides a 'Proxy External API' pattern that encourages developers to pass user-controlled input directly into a URL string used for a fetch request, which is a classic SSRF vulnerability pattern. [severity raised to high: this vector is independently flagged by both deterministic and LLM analysis (ADR-0065 corroboration).]
85% confidence
const response = await fetch(`https://api.weather.com/v1/current?city=${city}&key=${process.env.WEATHER_API_KEY}`);CORS Misconfiguration Riskhighsocial engineeringAML.T0052.000LLM09:2025
The skill suggests using a wildcard CORS policy ('*') for API routes, which can expose sensitive server-side endpoints to unauthorized cross-origin requests if not carefully managed. [severity raised to high: this vector is independently flagged by both deterministic and LLM analysis (ADR-0065 corroboration).]
85% confidenceline 167
"Access-Control-Allow-Origin": "*",
Environment secret flows to a network sink (JS/TS)highdata exfiltrationAML.T0025AML.T0024LLM02:2025
Environment secret flows to a network sink (JS/TS)
95% confidenceline 6
taint source (line 7): process.env.WEATHER_API_KEY → sink: fetch(
`https://api.weather.com/v1/current?city=${city}&key=${process.env.WEATHER_API_KEY}`
)Environment secret flows to a network sink (JS/TS)highdata exfiltrationAML.T0025AML.T0024LLM02:2025
Environment secret flows to a network sink (JS/TS)
95% confidenceline 5
taint source (line 9): process.env.OPENAI_API_KEY → sink: fetch("https://api.openai.com/v1/chat/completions", {
method: "POST",
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${process.env.OPENAI_API_KEY}`,
},
body: JSON.stringify({
model: "gpt-4",
messages: [{ role: "user", content: prompt }],
}),
})User input is used to construct a URL for a server-side HTTP request. This could allow an attacker to make requests to internal services or cloud metadata endpoints (Server-Side Request Forgery). Validate URLs against an allowlist of permitted hosts and schemes.mediumvulnAML.T0053AML.T0049LLM06:2025LLM05:2025
User input is used to construct a URL for a server-side HTTP request. This could allow an attacker to make requests to internal services or cloud metadata endpoints (Server-Side Request Forgery). Validate URLs against an allowlist of permitted hosts and schemes.
95% confidenceline 6
taint source (line 7): process.env.WEATHER_API_KEY → sink: fetch(
`https://api.weather.com/v1/current?city=${city}&key=${process.env.WEATHER_API_KEY}`
)User input is used to construct a URL for a server-side HTTP request. This could allow an attacker to make requests to internal services or cloud metadata endpoints (Server-Side Request Forgery). Validate URLs against an allowlist of permitted hosts and schemes.mediumvulnAML.T0053AML.T0049LLM06:2025LLM05:2025
User input is used to construct a URL for a server-side HTTP request. This could allow an attacker to make requests to internal services or cloud metadata endpoints (Server-Side Request Forgery). Validate URLs against an allowlist of permitted hosts and schemes.
95% confidenceline 5
taint source (line 9): process.env.OPENAI_API_KEY → sink: fetch("https://api.openai.com/v1/chat/completions", {
method: "POST",
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${process.env.OPENAI_API_KEY}`,
},
body: JSON.stringify({
model: "gpt-4",
messages: [{ role: "user", content: prompt }],
}),
})Untrusted data flows to an external API call without validation. Data from sources like window.name, document.location, or other client-controlled inputs is passed to library functions that may interpret it in unsafe ways. Validate or sanitize all untrusted input before passing it to external APIs.highvuln
Untrusted data flows to an external API call without validation. Data from sources like window.name, document.location, or other client-controlled inputs is passed to library functions that may interpret it in unsafe ways. Validate or sanitize all untrusted input before passing it to external APIs.
95% confidenceline 6
taint source (line 7): process.env.WEATHER_API_KEY → sink: fetch(
`https://api.weather.com/v1/current?city=${city}&key=${process.env.WEATHER_API_KEY}`
)Untrusted data flows to an external API call without validation. Data from sources like window.name, document.location, or other client-controlled inputs is passed to library functions that may interpret it in unsafe ways. Validate or sanitize all untrusted input before passing it to external APIs.highvuln
Untrusted data flows to an external API call without validation. Data from sources like window.name, document.location, or other client-controlled inputs is passed to library functions that may interpret it in unsafe ways. Validate or sanitize all untrusted input before passing it to external APIs.
95% confidenceline 5
taint source (line 9): process.env.OPENAI_API_KEY → sink: fetch("https://api.openai.com/v1/chat/completions", {
method: "POST",
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${process.env.OPENAI_API_KEY}`,
},
body: JSON.stringify({
model: "gpt-4",
messages: [{ role: "user", content: prompt }],
}),
})Unpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtimemediumsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025
Unpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtime
100% confidenceline 201
npx expo
Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinningmediumsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025
Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinning
100% confidenceline 218
npm install -g
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/expo/skills/expo-api-routes)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/expo/skills/expo-api-routes"><img src="https://mondoo.com/ai-agent-security/api/badge/github/expo/skills/expo-api-routes.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/expo/skills/expo-api-routes.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow