Coding Contract

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a spec-writing skill whose workspace file creation is purpose-aligned, but users should watch for broad activation and confirm where files are saved.

Install only if you want an agent to generate and save spec/contract documents in your workspace. Before using it, confirm the target filename/path and whether existing files may be overwritten; avoid invoking it for vague design-document requests unless you really want a coding spec artifact.

SkillSpector (2)

By NVIDIA

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger conditions are broad enough to activate on generic design-document conversion or specification requests, which can cause the skill to run in contexts the user did not explicitly intend. This is dangerous because the skill is authorized to shape outputs and later instructs file creation, so over-broad activation can lead to unintended workspace modifications or misaligned task handling.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs saving a generated file to the workspace without requiring user confirmation or warning that a file will be created or overwritten. This is dangerous because an automatically invoked skill could make unintended persistent changes, potentially overwriting user work or creating artifacts in sensitive repository paths.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal