Security audit

Archiver — Streaming Archive Packaging

Security checks across malware telemetry and agentic risk

Overview

This is a documentation skill for using a Node.js archive library, with no hidden persistence or credential behavior found.

Install only if you want Codex to help write Node.js archive-packaging code. When using it, explicitly choose the files or directories to archive and use glob ignore patterns for sensitive or bulky folders such as .git, node_modules, secrets, and build outputs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger words are extremely generic (for example, 'compress', 'package', 'archive', 'zip', and 'tar') and are likely to match many normal user requests that are not specifically asking to use this skill. In an agent-routing context, this can cause accidental invocation, expanding the situations where the skill handles user data or filesystem content and increasing the chance of inappropriate file packaging, unintended archive creation, or data exposure through over-broad activation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.