Back to skill

Security audit

Dependency Upgrade Planner / 依赖升级规划器

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only dependency upgrade planning skill with no executable payload, but users should be mindful that dependency analysis can expose project metadata if external tools are used.

Before installing, treat this as a lightweight planning prompt rather than a verified dependency tool. Use it only on repositories you are comfortable analyzing, and avoid sending private lockfiles, dependency inventories, or changelogs to external services unless you explicitly choose to do so.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises dependency-tree, changelog, and lockfile analysis plus Pro recommendations/CI integration, but it does not warn users that these features may expose package names, versions, repository metadata, or other project details to external services. In a dependency-management context, that omission matters because dependency inventories can reveal internal technologies, unpatched components, and proprietary architecture information, creating confidentiality and supply-chain risk if transmitted without informed consent.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.