Nm Sanctum Pr Review

Security checks across malware telemetry and agentic risk

Overview

This PR review helper has a coherent purpose, but it can use GitHub/GitLab write access and may persist review findings into a project memory store with unclear default consent.

Install only if you are comfortable with a PR-review skill that can use your GitHub/GitLab identity and save selected review knowledge. Before use, confirm the active repository/account, preview any comments or issues before posting, and disable or require explicit interactive approval for knowledge capture on private or sensitive repositories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 79% confidence
Finding: The skill's stated purpose is PR review, but it also directs the agent to create remote issues and write local report files. Those are side-effecting actions beyond passive analysis, which increases the risk of unintended repository modification or data persistence if the skill is invoked in the wrong context or without clear user consent. The danger is amplified because the skill includes concrete command templates for issue creation.

Context-Inappropriate Capability

Medium

Confidence: 72% confidence
Finding: The knowledge-capture phase instructs the agent to persist review findings into a project memory/review chamber, which is a data-sharing action not strictly necessary for PR review. This can cause sensitive code-review observations, architectural notes, or security findings to be stored in another system or namespace without strong scoping guarantees, creating confidentiality and retention risks.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The module defines bypass conditions that say version validation should not run at all, but later states that bypassed reviews should still execute validation and merely downgrade findings to WAIVED. This inconsistency can be exploited by applying a bypass label, flag, or PR marker to suppress blocking checks entirely, allowing version mismatches and release-integrity issues to merge unnoticed.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger set is broad and includes generic terms like github, gitlab, code-quality, and review, increasing the chance the skill is invoked unintentionally in conversations that were not asking for this workflow. Because the skill contains side-effecting instructions such as issue creation and file output, accidental invocation could lead to unwanted actions or expose repository metadata in the wrong context.

Overly Broad Trigger

Low

Category: Trigger Abuse
Confidence: 88% confidence
Finding: The trigger 'pr' is extremely short and likely to match unrelated user input, making accidental invocation plausible. In a skill that can lead to remote issue creation, local file writes, and broader review workflows, such ambiguous triggering expands the attack surface for unintended execution.

Shadow Command Trigger

Medium

Category: Trigger Abuse
Confidence: 85% confidence
Finding: Using the trigger 'review' risks shadowing or conflicting with a built-in command of the same name. That can cause the wrong tool or workflow to run, and in this case the skill may perform broader actions than a user expected from a standard review command, including issue creation and knowledge capture side effects.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal