Nm Abstract Plugin Review

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent code-review helper, but it defaults to running nested review tooling with sandbox and approval bypass enabled.

Install only if you are comfortable with a review helper that may run nested Codex review with approval and sandbox bypass by default. Prefer setting AUTOREVIEW_YOLO=0 or using --no-yolo unless full local access is intentionally needed, and be aware that fallback reviewers can send generated diffs to configured external AI CLI tools.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger list includes very generic terms such as 'review', 'quality', 'validation', 'testing', and 'architecture', which are likely to match many unrelated user requests. This can cause unintended invocation of the skill, leading the agent to load plugin-review behavior in contexts where the user did not explicitly request it, potentially interfering with expected workflows or exposing repository context more broadly than intended.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal