Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
"author": "Jeff Coleman", "license": "MIT", "dependencies": { "axios": "^1.6.0" }, "engines": { "node": ">=18.0.0"- Confidence
- 85% confidence
- Finding
- "axios": "^1.6.0"
Dexie
Security checks across malware telemetry and agentic risk
Overview
This appears to be a coherent Dexie.space API skill, with the main caveat being ordinary dependency hygiene around axios rather than evidence of malicious behavior.
Before installing, review the dependency lockfile or install result and use a patched, pinned axios version. The skill otherwise appears limited to its Dexie.space API purpose; treat returned market/trading data as external API data, not as a guarantee for financial decisions.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)
Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) +7 more
High
- Category
- Supply Chain
- Confidence
- 97% confidence
- Finding
- axios==1.6.0
VirusTotal
64/64 vendors flagged this skill as clean.