diffmanifests

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent manifest comparison helper, but users should treat Gerrit/Gitiles credentials and manifest data as sensitive when using it.

Before installing, verify the diffmanifests PyPI package and use a virtual environment. If you add Gerrit or Gitiles credentials, use limited-scope API tokens rather than passwords, keep the config private, avoid committing it, and only process manifests you intend to send to the configured Gerrit/Gitiles services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs users to provide Gerrit/Gitiles URLs, usernames, and passwords/API tokens, but it does not disclose that using the tool will transmit authentication material and manifest-derived data to external services. This is a real security/privacy issue because users may unknowingly send sensitive repository metadata or credentials to remote endpoints, especially if they substitute non-default or internal Gerrit/Gitiles instances.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal