Feature Toggle Manager

Security checks across malware telemetry and agentic risk

Overview

This is a transparent feature-flag cleanup guide, but users should treat its credentialed service commands as sensitive and run them deliberately.

Before installing, confirm you are comfortable giving the agent access to the target repository and any flag or monitoring service tokens. Prefer read-only/scoped API keys for audits, review any generated cleanup plan before code or service changes, and do not let the agent delete or archive production flags without owner approval and a rollback plan.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs use of authenticated curl requests against LaunchDarkly and Unleash APIs without warning that repository/service metadata and flag inventories may be transmitted to external systems. In an agent context, this can lead to unintended outbound access using sensitive tokens and disclosure of operational metadata without explicit user consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The Datadog monitoring example uses API credentials and performs an outbound query without disclosure that it accesses a third-party monitoring service. In an automated-agent setting, this can cause silent credential use and external transmission of feature-flag names or service telemetry context.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal