Htpasswd

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it handles real passwords and access-control files in ways users should review before installing.

Review before installing if this will touch real htpasswd files. Prefer test files first, keep backups of access-control files, avoid unusual usernames containing regex characters, and avoid putting long-lived real passwords directly in prompts or shell commands where they may be logged.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The command syntax and examples pass passwords as positional CLI arguments, which can leak through shell history, process listings, audit logs, and agent transcripts. Even if the hashing is correct, exposing raw secrets at invocation time materially weakens credential handling.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script requires passwords to be passed as positional command-line arguments in the documented interface, which can expose secrets through shell history, process listings, audit logs, and orchestration tooling. In a credential-management skill, this is a real security weakness because the primary data handled by the tool is sensitive authentication material.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal