Dependency Impact Analyzer

Security checks across malware telemetry and agentic risk

Overview

This is a benign dependency-analysis helper that searches a project and checks npm dependency information without installing software, persisting, or modifying files.

Install if you want a command-oriented helper for dependency upgrade, removal, or replacement planning. Expect it to inspect files in the current repository and to query npm for package versions, deprecation status, and advisories; avoid running it in repositories you do not intend to analyze or in environments where outbound npm lookups are not allowed.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill is presented as a local dependency impact analyzer, but it performs outbound npm registry queries via `npm info` and `npm audit`. That creates undisclosed network access and data flow outside the repository, which can leak dependency inventory or violate offline/restricted-environment expectations even if the functionality is useful.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal