Back to skill

Security audit

A2A-Code-Audit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent paid code-audit service, but users should be careful because submitted code is sent to a remote service and may contain secrets.

Install or use this only if you are comfortable sending selected code to the service operator. Redact secrets first, avoid regulated or proprietary code unless approved, require explicit confirmation for paid scans, and fix payment verification plus temporary-file handling before relying on the self-hosted version in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill invokes local shell commands via execSync to discover and run Bandit. Although the command strings are currently static rather than user-controlled, this still creates undeclared command-execution behavior and expands the attack surface through PATH hijacking, environment manipulation, and unexpected local side effects.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill writes submitted code to a predictable file under /tmp, creating an undeclared filesystem side effect and exposing potentially sensitive source code on disk. Temporary files in shared environments can be read, raced, or left behind if errors occur before cleanup, causing confidentiality and data-retention risks.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The payment gate does not validate any real payment artifact and accepts any truthy `x402-payment` header or `payment` query value, so an attacker can bypass the paywall by sending arbitrary input such as `?payment=1`. Because the code comments describe this as payment authorization, operators may incorrectly assume access control or billing enforcement exists when it does not.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrase "code review" is very broad and likely to match ordinary user requests that are not intended to invoke this specific paid security-audit skill. This can cause unintended activation, scope confusion, and unexpected routing of sensitive code or user requests into the skill, especially because the skill advertises security scanning and payment-related behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code persists analyzed content to disk without any user-facing disclosure, which is risky because scanned code may contain secrets, proprietary logic, or regulated data. The lack of warning or consent makes the privacy impact worse, especially in multi-tenant or hosted agent environments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill executes shell commands without user-facing disclosure, which is an operational transparency and trust problem even if the commands are fixed and used for a legitimate scanning purpose. In restricted or sensitive environments, undisclosed command execution can violate expectations and enable abuse if the runtime environment is compromised.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs users to POST source code to a third-party remote endpoint, but it does not warn that submitted code leaves the local environment and is transmitted to an external service. This creates a real confidentiality and compliance risk because users may submit proprietary code, secrets, or regulated data without informed consent or understanding of retention and handling practices.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
audit.js:16

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
audit.js:64

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
worker.js:100