Rollbar

Security checks across malware telemetry and agentic risk

Overview

The skill is broadly aligned with Rollbar management, but it deserves Review because it handles high-impact Rollbar tokens and automatically runs workspace .env content while also allowing plaintext token persistence.

Install only in trusted workspaces. Prefer least-privilege project tokens, avoid account-level write tokens unless needed, use --dry-run before mutating Rollbar state, and avoid --save unless the resulting config file is protected. Do not run this skill in a workspace where .env may contain untrusted content, because the script sources that file as shell code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The script can persist a newly created Rollbar access token to a local config file via --save, but it does not provide a clear warning about storing credentials on disk or enforce restrictive file permissions. In an agent/workspace context, this increases the chance that sensitive API tokens are left in plaintext where other local users, tools, or later workflows may read them.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal