Netlify

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Netlify deployment helper, with account-changing actions that are disclosed and aligned with its purpose.

Install this only if you want an agent to help operate Netlify. Confirm the target site folder, Netlify team/account, site name, GitHub repository, build settings, and production-deploy intent before running commands, and prefer a scoped Netlify token that can be revoked.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The manifest description says to use the skill when the user asks to 'deploy a new site, connect a repo to Netlify, configure build/publish settings, set environment variables, enable deploy previews, or automate Netlify site creation.' This is a broad list without explicit trigger boundaries or negative examples, which can cause unintended invocation for general deployment or configuration requests.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal