Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
"author": "OpenClaw Community", "license": "MIT", "dependencies": { "axios": "^1.6.0", "dayjs": "^1.11.0" } }- Confidence
- 91% confidence
- Finding
- "axios": "^1.6.0"
morning-brief
Security checks across malware telemetry and agentic risk
Overview
This skill is a disclosed daily morning brief that fetches public holiday data and writes a small local cache, with dependency hygiene issues but no evidence of hidden or harmful behavior.
Install this only if you want a daily scheduled brief. Be aware it contacts an external public holiday-data source and relies on npm packages; pinning dependencies or using a reviewed lockfile would improve reproducibility.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
"license": "MIT", "dependencies": { "axios": "^1.6.0", "dayjs": "^1.11.0" } }- Confidence
- 88% confidence
- Finding
- "dayjs": "^1.11.0"
Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) +7 more
High
- Category
- Supply Chain
- Confidence
- 98% confidence
- Finding
- axios==1.6.0
VirusTotal
59/59 vendors flagged this skill as clean.