Config Validator

Security checks across malware telemetry and agentic risk

Overview

This skill is a local configuration checker with some sloppy validation behavior, but no evidence of hidden execution, exfiltration, persistence, or destructive actions.

Before installing, treat this as a lightweight local checker, not a strict security gate. Be aware it reads your workspace .env file, and missing critical variables may still produce a success status; review the output manually and do not rely on it alone to block deployment.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The module claims to ensure critical configurations are present, but `checkEnv()` returns `valid: true` even when required secrets like `OPENAI_API_KEY` or `DATABASE_URL` are missing. This creates a fail-open validation path that can let downstream automation proceed in an insecure or broken state, undermining trust in the validator and potentially causing services to start without required security controls.

VirusTotal

No VirusTotal findings

View on VirusTotal