Dependency Tracker

Security checks across malware telemetry and agentic risk

Overview

The skill appears to generate and send a dependency report to Feishu, which is a disclosed and purpose-aligned workflow, but users should treat the report as potentially sensitive before sharing it.

Before installing, confirm the Feishu destination is trusted and review the generated dependency report for internal package names, private project identifiers, paths, or environment details. Use it where sharing dependency inventory in Feishu is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill mandates sending the generated dependency report to Feishu, but it does not warn users that the report may contain sensitive environment details such as installed global packages, Node.js/npm versions, and project dependency metadata. This creates a real data-exposure risk because operational and package inventory information can aid reconnaissance or violate internal data-handling expectations when transmitted to an external messaging platform.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal