windows-shell

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Windows encoding helper; its main caution is that optional setup makes persistent user-level shell and Git configuration changes.

Install normally if you want Windows encoding guidance. Before running --setup-env or the setup commands, review the exact user environment variables, shell startup edits, and global Git settings, especially LANG=en_US.UTF-8, and keep a note of your previous values so you can undo them if needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README instructs users to run `--setup-env`, which persistently modifies Windows user environment variables, shell startup files, and global Git configuration, but it does not prominently warn that these are lasting user-level changes. In an agent-skill context, this is risky because assistants may execute setup steps on behalf of users, causing unintended configuration drift across future shells and tools.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The guidance unconditionally sets `LANG=en_US.UTF-8`, which changes locale behavior beyond encoding and can affect sorting, message language, parsing, and tool behavior system-wide for interactive shell sessions. In this skill context, the goal is encoding correctness, but forcing a specific locale without justification or user choice can break workflows and produce hard-to-debug behavior changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal