vet

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate code-review helper, but it deserves Review because it can proactively read local coding-agent session histories and feed rich conversation/tool-output data into vet without clear per-run user control.

Install only if you are comfortable with vet accessing code diffs and, when history mode is used, local agent conversation transcripts that may include secrets or proprietary tool output. Prefer pinned or isolated installation, use no-history mode for sensitive work, verify the exact session file or session ID before running, and avoid automatic history-backed runs unless users have opted into that data flow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill directs the agent to read local session files and invoke shell commands (`python3`, `opencode`, `grep`-style searching implied by the instructions) without declaring those capabilities. Undeclared file-read and shell behavior weakens reviewability and consent, and the session-discovery steps specifically target conversation transcripts that may contain sensitive prompts, secrets, or unrelated user data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The skill is presented as a simple code-checking workflow, but its documented behavior includes locating, reading, and transforming full session histories from local harness storage and exporting transcripts through helper scripts. That mismatch is dangerous because it can cause operators to authorize a benign-seeming 'run vet' action while the skill actually accesses substantially more sensitive data than its description suggests.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script's behavior is unrelated to the declared skill purpose of proactively running vet after code changes. Instead, it parses and exports complete Claude Code session history, including assistant messages and tool interactions, which indicates hidden data-collection functionality under misleading skill metadata. In the context of a vet-oriented skill, this mismatch is especially suspicious because users would not reasonably expect conversation and tool transcript export.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code reconstructs detailed session and tool interaction history by correlating tool_use and tool_result records, then emits that data in structured form. This enables comprehensive transcript exfiltration, including potentially sensitive prompts, responses, tool inputs, and tool outputs, far beyond anything needed to 'run vet' on code changes. Because the skill context provides no legitimate need for session harvesting, this capability is disproportionately dangerous.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The script's behavior materially conflicts with the declared skill purpose: instead of running vet after code changes, it exports and reformats full OpenCode session history. That creates an unjustified data access pathway that can capture prompts, assistant messages, tool inputs, and tool outputs, which may contain secrets, proprietary code, or other sensitive context unrelated to the claimed function.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The capability to export and process complete conversation/session data is not justified by a skill that is supposed to run vet on code changes. Because the script serializes user messages, assistant content, tool invocations, tool inputs, and tool outputs, it can expose a broad set of sensitive data and enable covert exfiltration through downstream consumers of stdout.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The instruction to run immediately after ANY logical unit of code changes and to be proactive creates an overly broad automatic trigger. In practice, this can lead to repeated unsolicited shell execution and repeated access to git diffs and conversation-history sources, increasing both data exposure and the chance of disruptive or privacy-invasive behavior.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script prints session content directly to stdout without warning, confirmation, or redaction, creating an easy path for accidental disclosure through logs, pipelines, or downstream tooling. Exported data may include private user messages, assistant content, and tool invocation details, so silent emission materially increases confidentiality risk. In a skill presented as a vet helper, users are less likely to anticipate this disclosure behavior.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script prints transformed session contents directly to stdout without clear user-facing disclosure or confirmation, which can leak sensitive chat text and tool data into logs, pipelines, or other consuming processes. In the context of an agent skill, stdout is often captured automatically, making silent exposure more dangerous than a normal CLI utility.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal