Webpack

Security checks across malware telemetry and agentic risk

Overview

This skill appears low-risk to run, but it is flagged for review because it advertises webpack help while mostly serving generic placeholder guidance.

Install only if you understand this is mostly a generic reference-template script, not reliable webpack documentation. It does not appear to access sensitive data or modify the system, but users should verify any webpack advice elsewhere before relying on it.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script is presented as a webpack reference tool, but nearly all command output is generic operations and infrastructure guidance unrelated to webpack. This is a security-relevant integrity issue because users may rely on the tool for domain-specific guidance and instead receive misleading content, which can cause unsafe decisions, misuse of the skill, or erosion of trust in higher-assurance agent workflows.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The inline documentation explicitly markets the skill as a webpack reference tool, but the implementation serves contradictory, non-webpack guidance. In an agent ecosystem, deceptive or mismatched documentation is dangerous because it can route users or downstream systems to incorrect tooling and produce unreliable outputs under false pretenses.

VirusTotal

No VirusTotal findings

View on VirusTotal