code-dev-pipeline 代码开发流水线

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coding workflow skill, but it gives itself broad control over ordinary coding requests and repository changes without enough user-directed scoping.

Review before installing. Use it only in repositories where you are comfortable with an agent creating or modifying workflow artifacts, and do not allow automatic git add/commit behavior unless you have inspected the diff and explicitly approved the staged files. Prefer configuring it to follow the user's language and to redact sensitive data in logging examples.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The instructions require the agent to perform Git commit operations as part of coding, which introduces persistent side effects outside the minimum scope of code generation. In an agent setting, this can modify repository history, create unauthorized commits, and interfere with user workflows or audit trails without explicit per-task approval.

Vague Triggers

High

Confidence: 97% confidence
Finding: The skill description repeatedly says it 'must' be used for broad categories like writing code, implementing features, frontend work, and any task with code-quality expectations. That can hijack normal user requests into an unnecessarily heavy workflow, reducing user control and increasing the chance the agent ignores simpler or safer approaches better aligned with the request. In skill-routing systems, broad mandatory activation behaves like a policy override and can crowd out other tools or direct responses.

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger list includes very common phrases such as '开发代码', '写程序', and '实现功能', which are generic to ordinary coding requests. This makes accidental or excessive invocation likely, allowing the skill to capture a large fraction of development-related prompts regardless of actual complexity or user preference. The surrounding text reinforces this by framing the skill as the default path for common coding tasks.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The skill is written entirely in Chinese and prescribes fixed output formats and workflow text without any indication that language should follow user preference. In multilingual agent environments, this can cause the assistant to respond in an unintended language, degrading usability, creating misunderstanding, and interfering with downstream review or compliance processes. The risk is lower than direct code-execution abuse, but it still undermines user intent and reliable operation.

Natural-Language Policy Violations

Medium

Confidence: 83% confidence
Finding: The file is written entirely in Chinese and frames the Analyst role instructions without offering any user-language negotiation or documenting why Chinese-only operation is required. In a general-purpose code-development skill, this can cause user intent mismatches, misunderstood requirements, and downstream implementation errors, especially when the pipeline is supposed to transform requirements precisely.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The mandated workflow uses 'git add .' and commits all changes, which can unintentionally stage secrets, unrelated local files, generated artifacts, or other sensitive content present in the working tree. In an autonomous agent context this is especially risky because the agent may not reliably distinguish intended files from incidental ones before creating a permanent commit.

Natural-Language Policy Violations

Medium

Confidence: 92% confidence
Finding: The skill content and metadata strongly bias or require Chinese-language interaction without presenting a user-language choice or fallback. In a coordinator role that is the sole interface to the user, this can cause misunderstanding of requirements, acceptance criteria, and security-relevant constraints, leading to incorrect or unsafe implementation outcomes.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The workflow explicitly performs automatic filesystem writes and replaces a symlink under a project-controlled path without any stated user confirmation, sandboxing, or path-safety constraints. In an agent skill that may be invoked for code-development tasks, this increases the risk of unintended local modification, artifact overwrites, and unsafe file operations if project names or paths are not tightly controlled.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The logging guidance explicitly records user email addresses and raw exception details, which can expose personally identifiable information and sensitive internal error context in logs. If logs are centralized, shared, or retained broadly, this increases the blast radius of data leakage and may aid attackers in reconnaissance.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The example code reinforces insecure practice by logging registration attempts and failures with the user's email address, normalizing leakage of sensitive user input into application logs. Because examples are often copied directly, this materially increases the likelihood of widespread insecure implementations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal