Security audit

Codex Review

Security checks across malware telemetry and agentic risk

Overview

This is a code-review instruction skill whose main risk is that optional external model review can send reviewed code to a configured API.

Install this only if you want an agent to inspect the code you ask it to review. Leave CODEX_REVIEW_API_KEY unset, or explicitly say to skip the external model, for local-only review. If you enable the external API, assume reviewed snippets may be sent to that provider. For L2/L3 behavior, review the companion bug-audit skill separately before relying on it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The skill claims it does not upload code anywhere, yet later explicitly instructs sending code content to an external API. This is a security/privacy vulnerability because users and downstream agents may rely on the misleading assurance and unintentionally transmit sensitive source code, secrets, or proprietary data off-host.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The statement that there is 'No network transmission of analysis results' conflicts with documented behavior that sends code for review to an external endpoint. Even if the phrase refers only to final reports, the wording is materially misleading in a security-sensitive skill and can cause improper handling of confidential code under false assumptions.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases listed in the activation table are very broad natural-language requests such as "review this" and "audit this." In agent environments, overly generic triggers can cause unintended skill activation during ordinary conversation or when processing untrusted repository content, creating prompt-surface expansion and potentially invoking higher-risk workflows unexpectedly.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The feature description further broadens activation semantics by encouraging generic commands like "review," "audit," and "cross-validate" without precise constraints. This increases the chance of accidental or adversarial triggering from routine user text, issue descriptions, or embedded prompt content, especially because the skill orchestrates multi-stage review behavior.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Broad trigger phrases such as 'review' or similar everyday language can cause unintended activation of a skill that may read large codebases, invoke other skills, write temp artifacts, and optionally send code to an external API. In context, accidental triggering increases privacy and operational risk because sensitive review actions may occur without the user intending to invoke this specific skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal