BugPack

Security checks across malware telemetry and agentic risk

Overview

BugPack is a disclosed local bug-tracking helper that can edit code and update local bug status, so users should review changes but the behavior fits its purpose.

Before using this skill, verify the bugpack-mcp npm package you run with npx, consider pinning a trusted version, and review any source-code diff and BugPack status update before relying on the bug being fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs the agent to edit source code and then update the bug record to 'fixed' without requiring user confirmation, preview, or review. This creates a real risk of unauthorized or premature code changes and inaccurate workflow state changes, especially because the same skill both modifies project files and mutates tracking data.

VirusTotal

42/42 vendors flagged this skill as clean.

View on VirusTotal