Environment Promoter
Security checks across malware telemetry and agentic risk
Overview
This skill has a legitimate deployment-promotion purpose, but its examples can reveal secrets from environment files and run live checks using local credentials or URLs.
Review before installing. Use it only in repositories where the agent may inspect deployment configs and environment files. Ask for key-only or hash-only comparisons by default, manually check any generated diffs before sharing them, and require explicit confirmation before running curl-based validation or GitHub CLI history commands.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
66/66 vendors flagged this skill as clean.