Back to skill

Security audit

Contract Reviewer Dongjie

Security checks across malware telemetry and agentic risk

Overview

The skill’s code is a simple local contract-text checker, but its marketplace metadata advertises unrelated crypto and purchase capabilities.

Review before installing because the code is narrow and local, but the listed crypto and purchase capabilities do not match a contract-review tool. Install only if those tags are harmless labels or the publisher corrects them; also treat the output as simple pattern matching, not legal advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Natural-Language Policy Violations

Low
Confidence
83% confidence
Finding
The returned summary always says "Contract Reviewer Dongjie processed the text," which embeds a fixed name/locale-specific phrasing in user-facing output. Because the skill does not offer any user opt-in, localization choice, or documented region-specific justification, this can violate the policy against forcing a specific language/locale convention.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.