dev-backup

Security checks across malware telemetry and agentic risk

Overview

This skill is a local project backup helper with proportionate filesystem access, but users should be careful about restores and backup contents.

Install only if you want local filesystem snapshots of projects. Confirm the exact project path and backup output directory before running it, ensure rsync is available if you rely on exclusions like .env, and restore into a separate review directory or after a fresh backup rather than directly over active work.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The README advertises broad natural-language triggers such as 'Fai un backup dello sviluppo' and 'Ripristina il backup di [nome-progetto]' without requiring confirmation, explicit paths, or scope checks. In an agent setting, vague triggers can cause unintended backup or restore operations on the wrong project, especially because restore actions are state-changing and potentially destructive.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The restore instructions tell users to copy snapshot contents back into the application path, but do not warn that this can overwrite existing files or produce partial merges that destroy current work. In practice, an agent or user following these instructions could irreversibly replace modified files, restore stale code, or corrupt a project by copying a snapshot into a non-empty target.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal