Back to skill

Security audit

lance-format

Security checks across malware telemetry and agentic risk

Overview

This is a Lance documentation/reference skill; the only notable risk is copy-pasting cleanup commands from quickstart examples.

Install is reasonable for Lance users. Before copying quickstart commands, run them in a dedicated test directory and review any cleanup or credential examples before applying them to real datasets or cloud storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
92% confidence
Finding
The quickstart includes `shutil.rmtree(..., ignore_errors=True)` against fixed paths under `/tmp` without an explicit warning that these commands delete data. In documentation, readers often copy-paste examples directly, so destructive operations without cautionary context can cause unintended local data loss, even if the affected paths are demo locations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation includes `rm -rf sift* vec_data.lance` as a copy-pastable setup step without an explicit warning that it recursively deletes matching local files. In a quickstart context, users may run this from the wrong directory or with unintended matching filenames, causing accidental data loss even though the command is not malicious in intent.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.