licenseguard

Security checks across malware telemetry and agentic risk

Overview

LicenseGuard is a local dependency-license scanner with disclosed report and git-hook features, with some review-worthy implementation weaknesses but no evidence of hidden data theft or destructive behavior.

Install if you want a local shell-based license scanner and are comfortable letting it read dependency files in the project you scan. Review lefthook.yml before using hooks install because it changes repository commit behavior. Do not rely on the paid-tier license check as strong security; it is weak offline gating, not evidence of malware.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The script treats a JWT as valid by base64-decoding its payload and checking fields like product, tier, and exp, but it never verifies the token signature. An attacker can forge or modify the JWT payload to grant themselves higher tiers, bypass expiry, or impersonate a valid product license, defeating the entire trust model of the licensing mechanism.

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The hook installer silently creates or appends to lefthook.yml, changing repository behavior without an explicit warning or confirmation step. While the command is user-initiated, unexpected modification of repo config can surprise users, interfere with existing automation, or make review of security-relevant changes less likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal