Back to skill

Security audit

Confmt

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward config formatter and differ, but its output can reveal secrets if used on credential-bearing config files.

Use this skill only on configuration files whose contents you are comfortable showing in the agent output. Avoid running it on production .env files, API keys, passwords, tokens, or private configs unless you intend those values to appear in logs or transcripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This tool reads configuration files and prints their full normalized contents or diffs, which can readily expose secrets such as API keys, passwords, and tokens commonly stored in JSON, TOML, and especially .env files. In an agent-skill context, automatically echoing sensitive values to stdout increases the risk of credential disclosure into logs, chat transcripts, or downstream tooling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.