Nm Parseltongue Python Packaging

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Python packaging guide, but it may activate too broadly and includes real PyPI publishing commands without clear safety gating.

Install only if you want an agent to help with Python package distribution. Treat any publish command as a deliberate public release step: review the package contents, verify the target repository and credentials, prefer TestPyPI first, and require explicit user confirmation before running uv publish.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The trigger list includes very broad terms such as 'python', 'pip', 'pypi', and 'distribution', which are likely to activate this skill during many unrelated Python conversations. Over-broad activation increases the chance the agent injects packaging guidance in the wrong context, potentially steering users toward build/publish actions they did not request.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The quick-start sequence includes 'uv publish' to PyPI without any warning that this releases artifacts to a public package registry. In an agent setting, that omission can normalize or automate a high-impact external action, increasing the risk of accidental publication of internal, unreviewed, or sensitive code.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal