Back to skill

Security audit

Nixomatic

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Nix/Docker package runner, but it broadly directs agents to fetch remote development environments with accepted flake configuration and to mutate project README files without a clear approval gate.

Install only if you are comfortable letting an agent fetch remote Nix flakes from nixomatic.com, accept flake-provided configuration, and run tools against your current workspace. Prefer explicit approval before use in repositories with secrets, production code, or sensitive data, and review any README.md changes before keeping them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill claims `nix develop` only places packages on PATH and does not execute arbitrary scripts at evaluation time, but all documented commands also pass `--accept-flake-config` to a remote flake URL. Accepting remote flake configuration materially expands trust in attacker-controlled or service-controlled settings and can enable execution-affecting behavior, so the safety claim is misleading and lowers operator caution around remote code execution and policy bypass risks.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description instructs the agent to use this skill whenever software is missing and says any nixpkgs package is available, creating an extremely broad activation scope. That makes it easier for unrelated tasks to route into a workflow that fetches and runs remote environments, increasing the chance of unnecessary exposure to unreviewed tooling and external services.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The 'universal package runner' and 'use this skill whenever you need software that is not installed' language creates ambiguous boundaries and encourages default use across many contexts. In practice this normalizes remote execution and dependency acquisition as a first resort, which is risky in sensitive repositories or when safer local alternatives exist.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill metadata/description does not clearly warn that it may modify `README.md`, even though the workflow later makes README maintenance a primary artifact. Silent or unexpected documentation changes can alter repositories beyond the user's requested task and may be abused to persist misleading commands or remote-environment instructions in project docs.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.