Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
requests>=2.28.0 pytest>=7.0.0
- Confidence
- 95% confidence
- Finding
- requests>=2.28.0
confluence-publish
Security checks across malware telemetry and agentic risk
Overview
This skill coherently publishes user-provided HTML to Confluence using user-provided Atlassian credentials, with no hidden persistence or unrelated data access found.
Install only if you want an agent to create or update Confluence pages. Use a least-privilege Atlassian API token, verify the target space and page title before publishing because matching pages are updated, and prefer pinned dependency versions or a reviewed lock file for reproducible installs.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
requests>=2.28.0 pytest>=7.0.0
- Confidence
- 93% confidence
- Finding
- pytest>=7.0.0
Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more
High
- Category
- Supply Chain
- Confidence
- 98% confidence
- Finding
- requests
Known Vulnerable Dependency: pytest — 1 advisory(ies): CVE-2025-71176 (pytest has vulnerable tmpdir handling)
Low
- Category
- Supply Chain
- Confidence
- 85% confidence
- Finding
- pytest
VirusTotal
63/63 vendors flagged this skill as clean.