Back to skill

Security audit

Ai Code Helper

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local plaintext logging helper for code-related notes, with no evidence of remote exfiltration or destructive behavior.

Use this only for notes you are comfortable keeping in local plaintext. Do not log API keys, passwords, private source code, vulnerability details, or confidential customer data unless local retention is acceptable, and periodically review or delete ~/.local/share/ai-code-helper if you no longer need the history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as an AI code-review/generation tool, but the documented behavior is primarily persistent logging, search, export, and activity tracking. This mismatch can cause users to provide source code, secrets, or internal findings under the assumption of transient analysis, while the skill instead retains that data on disk.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The manifest and heading describe AI-powered code analysis, but the file documents a local file-based logger/reporting tool. Security-relevant capability drift is dangerous because it obscures the real data-handling behavior and may lead users to expose sensitive code or credentials without understanding they are being stored.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The command set materially expands beyond code assistance into collection, export, search, and reporting of historical user inputs. That broader operational scope increases the chance of sensitive data accumulation and makes the skill more dangerous than its stated purpose suggests.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The documentation states that all data is stored in plain-text files under a user directory, but this persistence is not disclosed in the manifest description. Undisclosed storage is risky because users may submit proprietary code, security findings, or tokens expecting ephemeral processing, creating avoidable confidentiality exposure.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest and user-facing text describe an AI-powered code review and generation tool, but the implementation only stores arbitrary user inputs to local log files and replays them. That mismatch is security-relevant because users may provide sensitive source code, secrets, or proprietary prompts under the assumption they are being processed ephemerally for analysis rather than persistently retained.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script implements search, export, recent activity, and status functions over stored user inputs that are not reflected in the stated skill purpose. Hidden data-handling features increase the chance of privacy violations and misuse because they expand access to previously entered content beyond what a user would reasonably expect from a code helper.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The tool creates a persistent data directory and initializes long-term storage for user activity without demonstrating necessity for the claimed linting/review workflow. Persisting potentially sensitive code and prompts in plain local files increases risk of later disclosure to other local users, malware, backups, or support tooling.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The branding and help text present the script as an AI/devtools assistant, but the actual code behavior is limited to recording and replaying inputs. Misleading presentation makes users more likely to submit confidential material, creating a trust and consent failure that directly increases privacy and data-exposure risk in this skill context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description omits a clear warning that user inputs and command executions are persistently logged to disk. In a code-assistance context, users are likely to paste sensitive source code, stack traces, tokens, or internal URLs, so lack of warning materially increases accidental data exposure risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
User command inputs are written verbatim to log files with no clear warning at the point of collection. In a code-helper context, those inputs may contain source code, credentials, tokens, file paths, or incident data, so silent retention materially increases the likelihood of sensitive information disclosure.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill is designed to persist and export user-provided inputs across operations, which creates a data-retention channel for potentially sensitive code and operational details. Because the tool is framed as developer assistance, the context makes it more dangerous: users are especially likely to supply confidential material during debugging and code review.

Ssd 3

Medium
Confidence
95% confidence
Finding
The commands explicitly save provided arguments as timestamped entries, enabling systematic retention of arbitrary user content. This is dangerous because developers may pass sensitive issue descriptions, code snippets, or environment details directly as command arguments, which then remain on disk and in history.

Ssd 3

Medium
Confidence
96% confidence
Finding
Plain-text storage combined with full-text search and export increases the blast radius of any sensitive data entered into the tool. Even without remote exfiltration, local compromise, shared accounts, backups, or accidental exports can expose proprietary code, credentials, or security findings at scale.

Ssd 3

Medium
Confidence
94% confidence
Finding
Logging every command execution to an audit trail creates broad retention of user activity and can reveal what files, checks, fixes, or incidents were investigated. In a developer-tool context, this metadata can itself be sensitive and may expose internal project structure or security workstreams even if the content is partially sanitized.

Ssd 3

Medium
Confidence
97% confidence
Finding
The tool stores all user-provided inputs and offers plain-text search, display, and export operations over that history. This creates an easily accessible repository of potentially sensitive developer content, which is especially risky because the skill is framed as a code assistant and users are likely to paste confidential code or secrets.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.