Back to skill

Security audit

Clean Unused Deps

Security checks across malware telemetry and agentic risk

Overview

This skill gives straightforward instructions for finding and removing unused npm packages, with the main risk being accidental project breakage if removals are not verified.

Use this only in projects under version control. Review each depcheck result against source files, scripts, configs, and build or CI setup before uninstalling, then run tests or a build after changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to uninstall dependencies based solely on `depcheck` results without warning that dependency detection can be incomplete for dynamically loaded packages, build tooling, scripts, or framework conventions. This can lead to removal of still-required packages, breaking builds, tests, deployment, or runtime behavior in a way that is avoidable with clearer safety guidance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.