Skylv Feature Flag Manager

Security checks across malware telemetry and agentic risk

Overview

This is a local feature-flag tool, but its broad activation triggers and inaccurate safety-critical command documentation could cause unintended feature changes.

Install only if you treat it as a local prototype. Do not rely on it for production rollouts or emergency kill switches without reviewing the code, narrowing when agents invoke it, and adding explicit confirmation or rollback procedures for mutating operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list is broad enough to activate on ordinary discussion about product behavior rather than a deliberate request to use this skill. Because this skill performs state-changing operations that can alter live feature exposure, accidental invocation could cause unintended rollouts, disablements, or experimentation changes.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill presents commands that modify rollout state and persist configuration without clearly warning that they change live behavior and write to `.featureflags/config.json`. In operational contexts, a user or agent may treat these as informational commands, leading to unintended production-impacting changes that persist across sessions and affect end users.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal