Back to skill

Security audit

Bring Recipes

Security checks across malware telemetry and agentic risk

Overview

This appears to be a narrow Bring recipe-browsing helper, with the main caution that it asks users to provide their Bring account password through environment variables.

Before installing, inspect the actual CLI source and npm dependencies if available. Use Bring credentials only in a trusted local shell, avoid storing the password in shared profiles, logs, or CI, and unset or rotate the password if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
92% confidence
Finding
The skill documentation instructs users to place Bring! account credentials in environment variables but does not warn that these values are sensitive or recommend safer handling practices. While environment variables are common for CLI authentication, they can be exposed through shell history, process inspection in some environments, logs, or accidental sharing of terminal setup files, so the omission is a real but low-severity security weakness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.