CLI-Hub Skill for CLI-Anything

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent guide for finding and installing CLI tools, but users should review each downstream package before installing it.

Use this as a discovery aid, not blanket approval for every CLI in the catalog. Before installing a downstream CLI, review its package/source, prefer isolated environments, pin versions where practical, and explicitly approve tools that can access accounts, browsers, local files, infrastructure, or external services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill directs users to fetch a live remote catalog and install packages resolved from that catalog, but it provides no warning about network access, trust boundaries, package provenance, or the risks of installing third-party code. Because this is a meta-skill that promotes discovery and installation of many independent pip packages from a live registry, it materially increases supply-chain risk and could lead an agent to install and execute unreviewed code.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal