Back to skill

Security audit

gen-test

Security checks across malware telemetry and agentic risk

Overview

This skill sets up Convex projects and its package installs and project edits are expected for that purpose.

Install this if you want an agent to help bootstrap or integrate Convex. Expect npm package installation and project file edits, and review scaffold/template choices before running them, especially if using a GitHub template rather than an official Convex template.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs automatic installation of packages and project modifications, including commands like pip/npm/cargo installs and configuration changes, without a clear global upfront warning that it may alter the user's environment or repository. In a security-sensitive setting, this can lead to unintended dependency installation, supply-chain exposure, and unauthorized workspace changes if the agent follows the workflow too eagerly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.