RobotX Deploy CLI

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward RobotX deployment helper, with disclosed but important risks around installing a remote CLI, storing credentials, and running deploy or publish commands.

Before installing, review the RobotX CLI installer or use a pinned release/checksum if available instead of blindly piping remote scripts to bash. Use least-privilege RobotX credentials, prefer environment variables for CI, protect or remove ~/.robotx.yaml on shared machines, and confirm deploy or publish targets before running commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs users to fetch and immediately execute remote shell scripts from GitHub using a pipe to bash. This creates a supply-chain execution risk because any compromise of the repository, account, network path, or referenced branch could result in arbitrary code execution on the host without prior inspection or integrity verification.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal