Skylv Dependency Updater

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only dependency maintenance skill whose update behavior is disclosed and aligned with its purpose.

Install this if you want an agent to help check and update project dependencies. Review the generated report and changelogs before allowing changes, confirm it is operating in the intended repository, and keep updates separated so they can be tested and reverted if needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad enough to match routine maintenance requests such as 'update dependencies' or 'check for updates', causing the skill to activate in many common contexts. Because the skill proposes package-management commands that can modify project state and introduce supply-chain risk, overly broad invocation increases the chance of unintended execution or acting on ambiguous user intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal