bundlephobia

Security checks across malware telemetry and agentic risk

Overview

This is mostly a disclosed local bundle analyzer, but it needs Review because a crafted license key can execute code during license parsing and the hook installer persists commit-time behavior in a repository.

Install only if you trust the publisher and the source of any BundlePhobia license key. Avoid pasting or configuring untrusted license tokens, treat the license key as sensitive, and review lefthook.yml after using hooks install because it adds persistent pre-commit scanning that can block commits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 76% confidence
Finding: The skill advertises execution paths that use environment variables and likely perform license handling, yet no explicit permission declaration or clear capability disclosure is present. In an agent setting, undeclared access to env/config and possible network-related behavior reduces informed consent and makes secret exposure or unexpected outbound validation harder to audit.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The declared purpose is a local bundle analyzer, but the documented behavior also includes license validation, feature gating, git hook installation/removal, report generation, and CI enforcement. This mismatch is dangerous because users may invoke a seemingly read-only analysis skill without realizing it can modify repositories, consume secrets from env/config, or affect developer workflow by blocking commits/builds.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script goes beyond passive bundle analysis by installing and removing Git hooks and editing repository configuration files. That is a real scope-expansion risk because it introduces persistent, write-capable behavior into user repositories, increasing trust requirements and the blast radius if the skill or its sourced components are modified.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Repository hook management is a write-capable automation feature that persists execution on future commits, which is materially different from a one-time analyzer. In this context, the capability is not inherently malicious, but it does create a meaningful security boundary crossing because it alters developer workflow and can execute additional code later via sourced scripts.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README instructs users to store a license key directly in a persistent plaintext config file and also suggests exporting it as an environment variable, without any warning about credential handling or OS-specific secret storage. While a license key is not typically as sensitive as a password, it is still a bearer credential that can be exposed through file disclosure, backups, shell history, shared home directories, screenshots, or accidental commits.

Vague Triggers

Medium

Confidence: 72% confidence
Finding: The invocation examples are broad enough to match many generic project-analysis requests, which can cause the skill to trigger in contexts where the user did not specifically ask for this tool. In agent ecosystems, overbroad routing increases the chance of unnecessary repo scanning, reading package/config files, or invoking adjacent features with higher side effects than expected.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation describes installing git hooks but does not prominently warn that this changes repository hook configuration and may block commits. In practice, modifying commit-time controls is a state-changing operation with workflow and supply-chain implications, and users may not realize they are delegating persistent enforcement into their repo.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The install path writes or appends to lefthook.yml without an explicit warning that repository configuration will be changed. While the user invoked an install command, lack of a clear pre-write notice and preview reduces informed consent and makes accidental repository modification more likely.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The uninstall path rewrites lefthook.yml using sed/grep transformations without a clear warning or preview of the changes. This is risky because config rewriting can remove unintended content or leave the file in an inconsistent state, especially when pattern-based deletion is used.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal