Back to skill

Security audit

Env Config Manager / 环境配置管理

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but it asks agents to handle production environment secrets and mentions automatic cloud-vault syncing without clear safeguards or user consent boundaries.

Review this carefully before installing. Use it only on non-production copies until behavior is clear, avoid giving it broad cloud or repository credentials, require explicit confirmation before writing .env files or syncing secrets, and verify any cloud-vault integration and commit automation before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill advertises merging and generating .env files but does not warn that these actions can overwrite existing configuration or produce modified outputs. For a tool that manipulates deployment configuration, missing safety warnings increase the risk of accidental destructive changes, misconfiguration, or release-impacting errors.

Missing User Warnings

High
Confidence
95% confidence
Finding
The documentation states that the skill encrypts sensitive keys and may sync secrets to cloud vaults, but it does not warn users about handling sensitive credentials or the risks of transmitting them to external services. This omission can lead users to expose production secrets without understanding trust boundaries, retention, or access-control implications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.