Security audit

Fixture

Security checks across malware telemetry and agentic risk

Overview

This skill is a local test-fixture manager that runs a disclosed script and stores fixture data locally, with no evidence of hidden networking, credential access, or unrelated behavior.

Install only if you want a local fixture generator. Treat imported data as persistent under ~/.fixture/, review import/export paths before running commands, and use reset --confirm only when you intentionally want to clear the stored fixture records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documented reset command is destructive and includes a flag to bypass confirmation, yet there is no nearby warning that data deletion may be irreversible. In an agent setting, this can normalize unsafe invocation patterns and make accidental or automated data loss more likely.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The examples promote `reset --confirm` as a normal usage pattern without warning about irreversible deletion. Example commands are often copied verbatim, so this materially increases the chance of accidental wipe operations in real environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.