Bolt New

Security checks across malware telemetry and agentic risk

Overview

This is a plain Bolt.new usage guide with disclosed cloud deployment advice and no hidden code or automatic actions.

Safe to install as a guide. Before using Bolt.new deployment, review generated code, remove secrets and private data, confirm environment variable handling, and assume Netlify links may be publicly accessible unless configured otherwise.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill promotes one-click deployment to Netlify and obtaining a public URL, but it does not clearly warn that deployment can expose application code, embedded test data, and misconfigured secrets to the public internet. In a developer-assistant context, this omission is meaningful because users may rapidly publish prototypes without understanding the visibility and security implications.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal