envoic

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed development cleanup helper; its risky parts are documented cleanup and optional installer commands, not hidden or automatic behavior.

Install only if you want a tool that can audit and clean development environments and build artifacts. Start with a narrow folder, run scans and dry-runs first, inspect every proposed deletion, avoid --yes unless you are sure the listed items are safe to recreate, and avoid piping remote install scripts into a shell unless you trust and verify the source.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This markdown file includes `clean` command examples, including `--yes`, which strongly suggests deletion or irreversible cleanup, but the surrounding documentation provides no warning about potential data removal. For markdown files, safety-relevant behaviors that may affect user data or system state should be disclosed so users understand the impact before running the command.

External Script Fetching

Low

Category: Supply Chain
Content: ## uvx Not Found - Install uv, then retry: `curl -LsSf https://astral.sh/uv/install.sh | sh` - Fallback install: `pip install envoic` ## npx Slow or Hanging
Confidence: 15% confidence
Finding: curl -LsSf https://astral.sh/uv/install.sh | sh

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal