Code Optimizer

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a code-assessment tool, but its deployment and retention behavior can persistently change the user's environment and store code-derived results without enough user control.

Review the deployment script before installing. Prefer a manual or dry-run setup, avoid running it on repositories with secrets until retention controls are clear, and back up Hermes configuration before allowing integration changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script goes far beyond local code evaluation by creating directories, copying components into another application, generating executables, editing Hermes configuration, and installing user-facing integration artifacts. In a skill whose stated purpose is code quality assessment/optimization, this is an over-broad deployment capability that can unexpectedly change a user's environment and increase attack surface if the source tree or workspace is untrusted.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script conditionally runs pip3 install for scikit-learn, numpy, and PyYAML from the network during deployment. Pulling packages at install time introduces supply-chain risk, executes unpinned code in the user's environment, and is not strictly necessary for a code-optimizer skill to analyze code safely.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script rewrites an external Hermes YAML configuration file in place, enabling features and changing runtime behavior of another application. Because this occurs automatically and without confirmation or backup, it can break existing workflows, persist unexpected behavior, or be abused to inject unsafe settings if the deployment source is tampered with.

Context-Inappropriate Capability

Low

Confidence: 91% confidence
Finding: Creating or overwriting a symlink in $HOME/bin changes the user's executable environment and can affect command resolution. While not inherently malicious, it exceeds the expected scope of a code optimization skill and can lead to persistence or confusion if the binary later changes behavior.

Intent-Code Divergence

Medium

Confidence: 81% confidence
Finding: The CLI advertises a test-suite command but wires it to status output instead, creating a misleading trust signal. Users may believe validation was performed when it was not, which can result in unsafe deployment decisions or overconfidence in the tool's readiness.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill states that evaluation results are automatically recorded and stored in a memory system, but provides no warning about retention, sensitivity, or privacy consequences. Because the input is source code, the stored data may include proprietary code, secrets, credentials, or customer data that users did not expect to be retained.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Early deployment steps create directories and copy files into the target workspace without any confirmation, preview, or explicit warning. Silent modification of user state is risky in agent skills because users may invoke them expecting analysis only, not filesystem mutations across application boundaries.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Rewriting hermes.yaml in place without prior warning is especially dangerous because configuration files govern persistent application behavior. A failed or unintended write can corrupt the config, disable existing settings, or enable new features the user did not authorize.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Overwriting or creating a symlink in $HOME/bin without warning makes a PATH-affecting change that can persist beyond this skill's execution. This can shadow other commands, create user confusion, and establish a foothold for future unintended execution.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal