Security audit

Prepublish Privacy Scrub

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate privacy-scanning purpose, but its scrub command can overwrite files in place while the documentation claims backups are made.

Install only if you treat it as a scan-first helper. Do not rely on its backup claim; run it only on version-controlled or copied folders, review changes before publishing, and avoid using the scrub function on directories that contain binary or important non-skill files.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The documentation promises that original files are backed up before scrubbing, but the provided implementation rewrites files in place with Out-File and contains no backup step. This can cause irreversible data loss or destructive modification of source files if the scrubber over-matches, malfunctions, or redacts values that were needed for later recovery.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal