Back to skill

Security audit

Package Json Linter

Security checks across malware telemetry and agentic risk

Overview

This is a local package.json linting helper that reads selected project files and reports issues without evidence of network access, credential use, persistence, or file modification.

Install this only if you want a local helper for package.json linting. Run it against a specific package.json or intended project directory, and treat its security mode as heuristic script-risk checking rather than a full npm vulnerability audit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The description lists triggers such as "check package" and "validate npm," which are ambiguous and broad enough to overlap with ordinary requests about packages or npm in general. The file does not provide negative examples or tighter scope constraints beyond the mixed trigger list, increasing the risk of unintended invocation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.