Back to skill

Security audit

Secrets Scanner & Remediator / 密钥扫描与修复器

Security checks across malware telemetry and agentic risk

Overview

This security skill is purpose-aligned, but it advertises repository-changing remediation and live cloud key rotation without clear safety controls.

Install only if you are prepared for a tool that may access sensitive repository history and potentially change repo files or live cloud credentials. Use it first in scan-only or dry-run mode if available, review generated reports as confidential, and do not allow key rotation unless you have verified the target account, permissions, affected applications, and rollback plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises automatic secret replacement and .gitignore generation but does not clearly warn that it may modify repository files. In a security tool, silent or poorly disclosed write actions can cause unintended source changes, mask evidence, or disrupt development workflows if a user expects a read-only scan.

Missing User Warnings

High
Confidence
97% confidence
Finding
One-click key rotation through cloud provider APIs can make irreversible changes to live credentials, potentially breaking applications, automation, or incident response workflows if triggered without clear warning and operator intent. Because credential rotation affects external infrastructure rather than just local files, misuse can cause service outages or lockouts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Scanning the entire repository history and exporting detailed reports may process and reproduce sensitive data, including historic secrets and credential metadata. Without a warning, users may generate reports that themselves become sensitive artifacts or unintentionally expose secret material during handling, sharing, or storage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.