prompt-token-analyzer

Security checks across malware telemetry and agentic risk

Overview

The only reported concern is a visible privileged install command, and there is no artifact-backed evidence of hidden, deceptive, destructive, or unrelated behavior.

Before installing, read the generated prompt-token file and avoid using sudo unless you trust the publisher and understand what will be placed in /usr/local/bin. Prefer installing to a user-local bin directory such as ~/.local/bin when practical.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the user to run `sudo mv prompt-token /usr/local/bin/`, which is a privileged system modification, without any warning, justification of trust boundaries, or safer alternative. In an agent-skill context, normalizing `sudo` commands increases risk because users or agents may execute elevated operations on unreviewed generated files, potentially overwriting system binaries or persisting tampered code in a global PATH.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal