Convex

Security checks across malware telemetry and agentic risk

Overview

This Convex skill is a coherent development helper with no artifact-backed evidence of exfiltration, deception, destructive behavior, or hidden privileged actions.

Install only if you want an agent to help with Convex development. Review any suggested `npx` commands before running them, avoid storing secrets in project memory or notes, and clear any local context files if you do not want reusable project details retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The activation rule is broad enough that the skill may engage on incidental mentions of Convex rather than clear user intent, causing unnecessary collection of project context and persistence to memory. In a backend/security-sensitive skill, accidental activation increases the chance of overreach, confusion, and inappropriate handling of repository or architecture details.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill directs the agent to persist reusable project context to a local file, but it does not require explicit user notice or consent before writing to disk. Even though it says not to store secrets, project architecture, auth constraints, incident history, and rollout lessons can still be sensitive, and silent persistence creates privacy and data-governance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal