Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
# Corpus Search - Requirements # ChromaDB 向量数据库 chromadb>=0.5.0 # 嵌入模型(语义向量化) sentence-transformers>=2.2.2
- Confidence
- 93% confidence
- Finding
- chromadb>=0.5.0
Corpus Search
Security checks across malware telemetry and agentic risk
Overview
This is a local corpus search skill whose code matches its stated purpose, with dependency hygiene issues but no artifact-backed hidden or harmful behavior.
Before installing, consider pinning the Python dependencies in a lockfile, verify the configured ChromaDB corpus path points only to content you want searched, and run it in an environment where downloading the embedding model is acceptable.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
chromadb>=0.5.0 # 嵌入模型(语义向量化) sentence-transformers>=2.2.2 # 配置文件解析 pyyaml>=6.0.1
- Confidence
- 93% confidence
- Finding
- sentence-transformers>=2.2.2
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
sentence-transformers>=2.2.2 # 配置文件解析 pyyaml>=6.0.1 # CLI 美化输出 rich>=13.7.0
- Confidence
- 97% confidence
- Finding
- pyyaml>=6.0.1
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
pyyaml>=6.0.1 # CLI 美化输出 rich>=13.7.0 # 进度条支持 tqdm>=4.65.0
- Confidence
- 88% confidence
- Finding
- rich>=13.7.0
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
rich>=13.7.0 # 进度条支持 tqdm>=4.65.0 # 缓存机制 diskcache>=5.6.3
- Confidence
- 96% confidence
- Finding
- tqdm>=4.65.0
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
tqdm>=4.65.0 # 缓存机制 diskcache>=5.6.3
- Confidence
- 92% confidence
- Finding
- diskcache>=5.6.3
Known Vulnerable Dependency: tqdm — 3 advisory(ies): CVE-2024-34062 (tqdm CLI arguments injection attack); CVE-2016-10075 (TDQM Arbitrary Code Execution); CVE-2016-10075 (The tqdm._version module in tqdm versions 4.4.1 and 4.10 allows local users to e)
High
- Category
- Supply Chain
- Confidence
- 82% confidence
- Finding
- tqdm
VirusTotal
66/66 vendors flagged this skill as clean.