Back to skill

Security audit

Tsconfig Validator

Security checks across malware telemetry and agentic risk

Overview

This skill is a local TypeScript config checker that reads a chosen tsconfig file and reports issues, with no evidence of hidden network access or persistence.

This appears safe for its stated purpose. Install it if you want a local tsconfig.json linter, and run it only against configuration files you intend to inspect. Be aware that one trigger phrase is broad, so users may want to invoke it explicitly with commands like "lint tsconfig" or "validate tsconfig.json."

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest description says the skill triggers on "typescript settings," which is a broad natural-language phrase that could match everyday discussion rather than an explicit request to validate a tsconfig file. The trigger list also does not provide exclusion conditions or boundaries to distinguish general TypeScript configuration questions from a request to run this validator.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.