Back to skill

Security audit

JSON Schema Validator / JSON 架构验证器

Security checks across malware telemetry and agentic risk

Overview

This is a lightweight JSON/YAML validation skill with no bundled executable or install payload, but users should treat its auto-fix option as write-capable.

Installers should understand that this skill may guide an agent to modify JSON/YAML files when --auto-fix is used. Prefer version-controlled files, backups, or a read-only validation run before applying fixes, and note that the declared curl dependency is not explained by the current artifact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill prominently advertises an auto-fix capability but does not warn that using it may modify user files. That creates a real safety issue because users may invoke the tool expecting read-only validation and unintentionally overwrite configuration or data files, potentially causing data loss or introducing unnoticed changes into deployments.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example command includes --auto-fix with no caution about overwriting or altering the target file, which normalizes destructive behavior as a default copy-paste action. In a skill context, examples are often executed verbatim, so omission of a warning materially increases the chance of unintended file modification and silent corruption of important config artifacts.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.