Dependency Health Check

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent dependency-audit checklist, with some commands that should be approved before they install tools or change dependencies.

Install this if you want an agent to help audit project dependencies. Require explicit approval before running package installs, npx tools, `npm audit fix`, `pip-audit --fix`, or dependency removals, and prefer a branch, virtual environment, or container for scans that may touch the network or local tooling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill directs the agent to install and execute additional tooling (`pip install pipreqs`) during analysis. Installing packages as part of a read-only audit expands the attack surface, can execute untrusted package code or dependency hooks, and introduces networked side effects that are not necessary for basic dependency inspection.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal