Feature Flag Manager

Security checks across malware telemetry and agentic risk

Overview

This appears local-only and not malicious, but it advertises feature rollout and kill-switch controls that the code does not reliably implement.

Review before installing for real rollout control or AI-agent kill switches. It looks local-only, but do not rely on its percentage rollout, A/B testing, user targeting, or explicit on/off examples unless the code is fixed and tested; inspect .featureflags/config.json before letting it influence important behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger list includes broad phrases like "toggle feature," "enable feature," and "disable feature," which are common in normal engineering and product conversations. This can cause unintended invocation of the skill in unrelated contexts, potentially leading an agent to perform feature-flag operations when the user only intended to discuss rollout strategy or product behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal