dep-audit

Security checks across malware telemetry and agentic risk

Overview

The skill is a legitimate dependency-audit tool, but it needs review because some file reads and report writes are broader than its safety documentation says.

Install only if you are comfortable with local audit tools reading project metadata and, for Go projects, analyzing package/source structure. Review generated commands before running fixes, avoid blindly using curl-to-sh install hints, and watch for unified.json, report.md, or sbom.cdx.json being created or overwritten in your project.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The activation phrases are broad enough to trigger on generic security discussions such as 'audit', 'vulnerability', or 'security scan', which could cause the agent to invoke shell-based discovery and network-backed audit commands in contexts the user did not intend. In a skill with exec and network permissions, over-broad auto-activation increases the risk of unnecessary filesystem enumeration, external requests, and confusing or privacy-impacting behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal