Security audit

Unzip Tool

Security checks across malware telemetry and agentic risk

Overview

This is a simple local unzip helper with no network or credential behavior, but users should extract only into controlled folders because it writes files and can overwrite existing paths.

Install only if you want a basic unzip helper. Extract archives into a new empty directory, avoid untrusted ZIP files, and do not rely on the advertised list/test/non-overwrite options unless the implementation is updated.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill describes extraction and overwrite-related options but does not warn users that running it can write files to disk and may replace existing files, especially with -o. In an agent setting, missing this warning can lead to unintended file modification or data loss if the tool is invoked on untrusted archives or sensitive directories.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.