Back to skill

Security audit

Receiving Code Review

Security checks across malware telemetry and agentic risk

Overview

This skill is a code-review guidance document whose codebase search and GitHub reply instructions fit its stated purpose, with no evidence of hidden installation, persistence, credential theft, or destructive behavior.

Install this only if you want the agent to be skeptical and terse when handling reviews. Be aware it may inspect local project files and may use GitHub tooling for review replies; review any gh api command before allowing it to post or modify repository discussion content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill explicitly forbids any gratitude expression and mandates a rigid communication style without user opt-in. While not a classic security exploit, this is a genuine policy-shaping issue because it can override user-preferred tone, reduce transparency in collaborative contexts, and train the agent to follow prescriptive social constraints unrelated to task correctness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.