Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
Flask>=3.0.0 requests>=2.31.0
- Confidence
- 98% confidence
- Finding
- Flask>=3.0.0
Facebook Marketplace Search
Security checks across malware telemetry and agentic risk
Overview
This is a disclosed local-service client for Marketplace searches, with dependency hygiene issues but no hidden persistence, credential use, or destructive behavior found.
Install this only if you understand it does not search Facebook by itself: it sends your search terms and location to the local or configured Marketplace API service. Keep the endpoint on localhost or another service you control, use a virtual environment, and prefer removing unused Flask plus pinning dependencies for reproducible installs.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
Flask>=3.0.0 requests>=2.31.0
- Confidence
- 98% confidence
- Finding
- requests>=2.31.0
Known Vulnerable Dependency: Flask — 8 advisory(ies): CVE-2025-47278 (Flask uses fallback key instead of current signing key); CVE-2018-1000656 (Flask is vulnerable to Denial of Service via incorrect encoding of JSON data); CVE-2019-1010083 (Pallets Project Flask is vulnerable to Denial of Service via Unexpected memory u) +5 more
High
- Category
- Supply Chain
- Confidence
- 90% confidence
- Finding
- Flask
Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more
High
- Category
- Supply Chain
- Confidence
- 92% confidence
- Finding
- requests
VirusTotal
64/64 vendors flagged this skill as clean.