Config Manager

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only config editing skill with expected file mutation guidance and no hidden execution, exfiltration, or persistence.

Install only if you want an agent to help edit configuration files. Use it on specific files, keep backups, review diffs before applying changes, validate configs before deploying them, and take extra care with .env files because they may contain secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The skill states that syntax should be validated before saving, but its documented workflows write changes in place and only validate afterward. This can leave a broken or partially applied configuration on disk if a command or expression is wrong, causing outages or unsafe application behavior before validation catches the problem.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: These `.env` examples directly read and modify files that commonly store secrets, but they provide no warning about handling sensitive credentials or avoiding disclosure in logs, terminals, or commits. In an agent skill focused on config management, normalizing direct secret-file manipulation increases the chance of inadvertent credential exposure or destructive edits to production configuration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal