Nextjs

Security checks across malware telemetry and agentic risk

Overview

This is a repo-local code review helper whose broad review workflow and powerful commands are disclosed and aligned with its purpose.

Install this if you want automated review closeout for this repo. Before using the helper, be aware that its default Codex review mode bypasses sandbox approvals for nested review; use --no-yolo or AUTOREVIEW_YOLO=0 if you do not want that level of local authority, and review any fallback external reviewer use for private diffs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill's invocation guidance is generic and effectively applies to a very broad class of 'developer workflow' tasks without clear boundaries, prerequisites, or safety gates. In an automation context, this can cause the agent to invoke the skill in unintended situations, increasing the chance of producing or acting on code, architecture, or deployment guidance outside the user's actual intent or risk tolerance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal