Nex Deliverables

Security checks across malware telemetry and agentic risk

Overview

This is a local client-deliverables tracker with disclosed local storage and no evidence of hidden network access or destructive behavior.

Install only if you are comfortable storing client names, contact details, retainer details, deadlines, notes, and deliverable history in a local SQLite database under ~/.nex-deliverables and adding a nex-deliverables command under ~/.local/bin. Use explicit commands for status changes and exports because some invocation phrases are broad.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises shell execution (`bash setup.sh` / CLI usage), local file writes (database under `~/.nex-deliverables/`, export output), and environment interaction while declaring no permissions. This creates a trust and review gap: an agent or platform may treat the skill as lower risk than it really is, increasing the chance of unreviewed command execution or filesystem changes.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger list contains broad natural phrases such as "deadline", "client status", "what's due", and "show overdue" that could match ordinary conversation and cause unintended invocation. In a skill that can run shell commands and modify local state, accidental activation is more dangerous because it may lead to unintended reads, writes, or status changes on local project data.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal