Phy Env Doctor

Security checks across malware telemetry and agentic risk

Overview

Env Doctor is a local repository auditing skill whose file reads and generated example file match its stated environment-variable documentation and secret-checking purpose.

Install if you are comfortable with a local agent scanning the current project for environment-variable usage and secret-like patterns. Run it only in the intended repository, treat its report as sensitive, and review generated files and suggested cleanup commands before applying them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrase 'audit secrets' is broad enough to capture sensitive security-review requests outside the narrow env-var use case, which can cause the skill to run in contexts where users did not intend repository-wide secret inspection. In an agent ecosystem, overbroad activation increases the chance of unnecessary access to sensitive files and secret-bearing artifacts.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs creation of .env.example.generated via shell redirection without clearly warning the user that it will write a new file into the repository. Silent or unexpected file writes are risky in agent workflows because they can modify tracked content, overwrite user expectations, or be chained into follow-on commits.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal