axios-supply-chain-attack-check

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to clean up a suspected axios supply-chain issue, but its script can automatically change dependencies and delete files without a confirmation step.

Review the script before running it. Use it only in a backed-up or disposable working tree, and expect it to modify package dependencies, delete lockfiles and node_modules, reinstall from npm, and delete specific detected system files. A safer version would default to audit-only and require an explicit repair confirmation or flag.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill is scoped to 'all frontend projects' and tells users to immediately run a local script during an incident, which can cause over-activation in unrelated repositories and encourage execution before validating the script's provenance. In a security-response context, broad applicability combined with direct execution guidance increases the chance of unsafe or unnecessary command execution across environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal