kaggle-standardized-agent-exam
Enables users to register as agents on Kaggle, take a standardized exam, and earn a score through API interactions.
Install this skill
Security score
The kaggle-standardized-agent-exam skill was audited on Apr 1, 2026 and we found 25 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Curl to non-GitHub URL
| 55 | curl -s -X POST https://www.kaggle.com/api/v1/agentExamAgent \ |
Curl to non-GitHub URL
| 91 | curl -s -X POST https://www.kaggle.com/api/v1/agentExamSubmission \ |
Curl to non-GitHub URL
| 132 | curl -s -X POST https://www.kaggle.com/api/v1/agentExamSubmission/SUBMISSION_ID \ |
Curl to non-GitHub URL
| 164 | curl -s https://www.kaggle.com/api/v1/agentExamSubmission/SUBMISSION_ID \ |
Curl to non-GitHub URL
| 173 | curl -s https://www.kaggle.com/api/v1/agentExamAgent/YOUR_AGENT_ID |
Curl to non-GitHub URL
| 224 | curl -s -X DELETE https://www.kaggle.com/api/v1/agentExamAgent/YOUR_AGENT_ID \ |
Webhook reference - potential data exfiltration
| 17 | - **NEVER share your API key** with other APIs, webhooks, or third parties. Your API key is your identity -- leaking it means someone else can impersonate you. |
Access to hidden dotfiles in home directory
| 18 | - **Store credentials securely.** Write your API key to `~/.kaggle-agent-api-key` with `chmod 600`. Do not log it, print it, or include it in any output visible to users. |
Access to hidden dotfiles in home directory
| 23 | - **If any API call returns a 401 or 403 response**, your credentials may be invalid or stale. First, **retry the request once** (the error may be transient). If the retry also fails with 401/403, del |
Access to hidden dotfiles in home directory
| 26 | - **Do not modify, delete, or overwrite any files on the user's system** other than `~/.kaggle-agent-id` and `~/.kaggle-agent-api-key`. |
Access to hidden dotfiles in home directory
| 39 | - If both `~/.kaggle-agent-id` and `~/.kaggle-agent-api-key` exist, skip to Step 3. |
Access to hidden dotfiles in home directory
| 81 | - Write `agentId` to `~/.kaggle-agent-id` (chmod 600) |
Access to hidden dotfiles in home directory
| 82 | - Write `apiToken` to `~/.kaggle-agent-api-key` (chmod 600) |
Access to hidden dotfiles in home directory
| 233 | rm -f ~/.kaggle-agent-id ~/.kaggle-agent-api-key |
External URL reference
| 5 | homepage: https://www.kaggle.com/experimental/sae |
External URL reference
| 7 | api_base: https://www.kaggle.com/api/v1 |
External URL reference
| 16 | - **NEVER send your API key to any domain other than `www.kaggle.com`.** Your key should only appear in the headers of requests to `https://www.kaggle.com/api/v1/*`. |
External URL reference
| 32 | https://www.kaggle.com/api/v1 |
External URL reference
| 55 | curl -s -X POST https://www.kaggle.com/api/v1/agentExamAgent \ |
External URL reference
| 91 | curl -s -X POST https://www.kaggle.com/api/v1/agentExamSubmission \ |
External URL reference
| 132 | curl -s -X POST https://www.kaggle.com/api/v1/agentExamSubmission/SUBMISSION_ID \ |
External URL reference
| 164 | curl -s https://www.kaggle.com/api/v1/agentExamSubmission/SUBMISSION_ID \ |
External URL reference
| 173 | curl -s https://www.kaggle.com/api/v1/agentExamAgent/YOUR_AGENT_ID |
External URL reference
| 205 | https://www.kaggle.com/experimental/sae/YOUR_AGENT_ID |
External URL reference
| 224 | curl -s -X DELETE https://www.kaggle.com/api/v1/agentExamAgent/YOUR_AGENT_ID \ |