Skylv Package Updater

Security checks across malware telemetry and agentic risk

Overview

This is a simple dependency-update helper whose repo-changing behavior is disclosed and aligned with its purpose.

Install this only if you want an agent to help change project dependencies. Use it on a branch, review the report and changelogs before approving updates, and require explicit confirmation before patch updates or commits are made.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases are broad enough to match routine maintenance requests such as 'update dependencies' or 'check outdated', which can invoke a skill that performs project-modifying actions without clearly signaling side effects. In an agent context, overly generic triggers increase the chance of accidental activation and unintended package or lockfile changes, especially when users may only want an audit or report.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill describes checking and updating dependencies but does not clearly warn that these operations can modify manifests, lockfiles, and the installed dependency tree. That omission can mislead users or higher-level agents into treating the skill as informational, increasing the risk of unintended repository changes and downstream build or compatibility issues.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal