Expanso cve-scan

Security checks across malware telemetry and agentic risk

Overview

This CVE scanner is not malicious, but users should review it because it can share SBOM package details externally and some modes may return incomplete or misleading scan results.

Review before installing if your SBOMs reveal sensitive internal dependency inventory. Use CLI mode only for SBOMs whose package names and versions may be shared with OSV, avoid exposing the MCP server beyond trusted networks, and do not rely on MCP mode or large/non-npm SBOM results without independent validation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The pipeline sends package names and versions derived from the SBOM to an external third-party service (OSV) but does not prominently warn users in the manifest that dependency metadata will leave the local environment. In some organizations, SBOM contents are sensitive because they reveal internal components, proprietary software choices, or vulnerable assets, so undisclosed transmission can create confidentiality and compliance risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal