Windows packag manager installer

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide package installation guidance, with visible but high-impact package manager commands that users should run only from trusted sources.

Before installing, read the commands carefully, confirm they come from official package-manager documentation or a trusted mirror, and avoid changing package sources unless you understand how to restore the defaults.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill tells users to run privileged installation and source-configuration commands that change system package-manager state, including executing a remotely downloaded Chocolatey install script via `iex`, but it does not include explicit warnings about administrative impact, repository trust, or the risks of changing package sources. In a package-installation skill, such commands are contextually relevant, but omitting safety and trust guidance can lead users to execute high-impact system changes without understanding the security implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal