Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
openai>=1.12.0 python-dotenv>=1.0.0 pydantic>=2.5.0
- Confidence
- 93% confidence
- Finding
- openai>=1.12.0
Claimback Radar
Security checks across malware telemetry and agentic risk
Overview
This skill does what it says: it sends user-provided billing text to OpenAI to summarize subscription risks, with the main risks disclosed.
Install only if you are comfortable sending the email or bill text you provide to OpenAI. Avoid submitting account numbers, identity documents, or highly sensitive financial details unless that data flow is acceptable to you. Prefer setting OPENAI_API_KEY explicitly, and if you use .env, keep unrelated secrets out of the working directory. For stricter production use, pin dependencies or install with a reviewed lockfile.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
openai>=1.12.0 python-dotenv>=1.0.0 pydantic>=2.5.0
- Confidence
- 96% confidence
- Finding
- python-dotenv>=1.0.0
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
openai>=1.12.0 python-dotenv>=1.0.0 pydantic>=2.5.0
- Confidence
- 98% confidence
- Finding
- pydantic>=2.5.0
Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )
Low
- Category
- Supply Chain
- Confidence
- 68% confidence
- Finding
- python-dotenv
Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)
High
- Category
- Supply Chain
- Confidence
- 89% confidence
- Finding
- pydantic
VirusTotal
66/66 vendors flagged this skill as clean.