Release Readiness Checker

Security checks across malware telemetry and agentic risk

Overview

This is a transparent release-checklist skill with mostly read-only checks, but it overstates test verification and should not be treated as a real release gate by itself.

Safe to install as an advisory checklist. Do not rely on it alone to approve a release: run the actual test suite and CI separately, review any secret-scan matches before sharing reports, and treat npm/GitHub CLI checks as networked operations using your local credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill description claims it will verify that tests pass, but the implementation only detects whether test infrastructure exists and explicitly avoids executing tests. This creates a dangerous trust gap: users may approve a release believing test results were validated when no such verification occurred.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The 'Tests Pass' section confirms the skill does not run tests automatically, yet the surrounding documentation and release verdict logic present this as a readiness check. In a release-gating context, this can lead to false GO decisions and shipment of untested or broken code.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal