Back to skill

Security audit

Grokipedia

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: search and fetch public Grokipedia articles without credentials, persistence, or local data access.

Reasonable to install for public Grokipedia lookups. Do not use sensitive search terms because queries are sent to grokipedia.com, treat --raw HTML output as untrusted if another tool renders it, and prefer pinned dependencies or a lockfile when reproducible installs matter.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Unpinned Dependencies

Low
Category
Supply Chain
Content
"install": "bun install --production"
  },
  "dependencies": {
    "jsdom": "^24.0.0",
    "@mozilla/readability": "^0.5.0"
  }
}
Confidence
90% confidence
Finding
"jsdom": "^24.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "jsdom": "^24.0.0",
    "@mozilla/readability": "^0.5.0"
  }
}
Confidence
90% confidence
Finding
"@mozilla/readability": "^0.5.0"

Known Vulnerable Dependency: @mozilla/readability==0.5.0 — 1 advisory(ies): CVE-2025-2792 (@mozilla/readability Denial of Service through Regex)

Low
Category
Supply Chain
Confidence
86% confidence
Finding
@mozilla/readability==0.5.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.