Back to skill

Security audit

ESLint Config Generator

Security checks across malware telemetry and agentic risk

Overview

This is a simple ESLint config helper that writes a local config file; its main risk is overwriting project configuration or running npm commands if the user follows the optional dependency instructions.

Before using it, check whether your project already has .eslintrc.json because the script overwrites that file. Review any npm install command before running it, since installing ESLint presets can change package files and execute normal package lifecycle scripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises automatic dependency installation without warning that it may run package-manager commands and modify the user's project. In agent or automated environments, invoking npm install can execute lifecycle scripts from downloaded packages, alter lockfiles, and change the workspace state unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.