Back to skill

Security audit

Pylinter Assist

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Python PR-linting skill with optional GitHub commenting, artifact downloads, and notifications; no hidden or deceptive behavior was found.

Install only if you want a PR linting tool with GitHub integration. Use least-privilege GitHub tokens, review workflow files before committing them, avoid passing bot tokens or webhook URLs directly on the command line, and enable Telegram/Discord/Slack/email notifications only if you are comfortable sending lint report details to those services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The CLI accepts callback secrets such as Telegram bot tokens and Discord webhook URLs directly via command-line arguments. On many systems, command-line arguments are exposed through shell history, process listings, audit logs, and CI job logs, which can leak credentials to other local users or to log collectors.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.