Coding Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed coding-workflow guide with local state/logging helpers and no evidence of exfiltration, hidden execution, or destructive behavior.

Before installing, be aware that failed-debugging notes may be saved locally for future sessions. Keep secrets out of error logs, review `.learnings/ERRORS.md` and `.pipeline-state/` periodically, and only enable optional hooks if you want prompt-time reminders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This guidance adds persistent cross-session memory by instructing the agent to write detailed failure records to `.learnings/ERRORS.md`, which exceeds the stated scope of a bounded debugging workflow. Even if intended to improve future performance, it can retain sensitive error output, task context, and operational details across sessions without clear necessity, consent, minimization, or retention controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal