workspace-health-dashboard

Security checks across malware telemetry and agentic risk

Overview

This is a read-only workspace health dashboard, but its dependency-security wording is stronger than what the code actually checks.

Install only if you want a lightweight, read-only workspace health summary. Do not treat its dependency status as a real vulnerability audit; run a dedicated tool such as npm audit or another lockfile-aware scanner before making security decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The function is documented as a dependency vulnerability check, and the module/manifest also frame this dashboard as consolidating dependency security. In practice, the code merely parses package.json, counts dependencies, and explicitly notes that it does not perform a real audit, which is a direct contradiction of the stated check purpose.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The code runs a protected-skills status check and stores its result, but then unconditionally increments the dashboard 'passed' count with the comment 'Always pass if no error'. This contradicts the intent of a status-based health check because missing protected skills can produce a warning result that is still reported as passed in the summary.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal