Smart Secrets Scanner
Security checks across malware telemetry and agentic risk
Overview
The skill has a legitimate secrets-scanning purpose, but its instructions rely on an unprovided local scanner script that would handle sensitive credentials, modify files, and install a persistent hook.
Review before installing. Only run the documented `node scanner.js` commands if you know exactly which scanner.js will execute and trust its source. Limit scans to repositories you intend to audit, treat findings as secrets, review diffs before redaction, and install the pre-commit hook only if you know how to remove it.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
66/66 vendors flagged this skill as clean.