Diff Wizard

Security checks across malware telemetry and agentic risk

Overview

This is a local diff and merge tool with some confusing AI-safety wording, but the artifacts do not show hidden network, credential, persistence, or destructive behavior.

Install only if you want a local diff/merge helper and compare files or directories you intentionally choose. Use `--no-ai-explain` and avoid paste mode for secrets or proprietary content if you are unsure how your runtime handles AI prompts. Treat the crypto/wallet capability labels as inconsistent metadata rather than behavior shown by this artifact.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The tool enables AI explanation by default, including in paste mode, without a clear warning that pasted content may be transmitted to an AI component. Users may paste secrets, proprietary code, or personal data, creating an unintended confidentiality leak if the AI explainer uses an external service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal