Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
"install": "bun install --production" }, "dependencies": { "jsdom": "^24.0.0", "@mozilla/readability": "^0.5.0" } }- Confidence
- 40% confidence
- Finding
- "jsdom": "^24.0.0"
Grokipedia
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it claims: search and fetch public Grokipedia pages without credentials, persistence, or local data access.
Reasonable to install for public Grokipedia lookups. Avoid sensitive search queries because they are sent to grokipedia.com, and prefer a lockfile or reviewed dependency install if you need reproducible supply-chain behavior. Treat --raw HTML output as untrusted if another tool renders it.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
}, "dependencies": { "jsdom": "^24.0.0", "@mozilla/readability": "^0.5.0" } }- Confidence
- 40% confidence
- Finding
- "@mozilla/readability": "^0.5.0"
Known Vulnerable Dependency: @mozilla/readability==0.5.0 — 1 advisory(ies): CVE-2025-2792 (@mozilla/readability Denial of Service through Regex)
Low
- Category
- Supply Chain
- Confidence
- 60% confidence
- Finding
- @mozilla/readability==0.5.0
VirusTotal
64/64 vendors flagged this skill as clean.