Code Card Sync

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do the advertised Code Card syncing, but it warrants review because it can send all AI coding session data to a third party and recommends recurring automatic syncs without clear data-scope disclosures.

Install only if you are comfortable sending AI coding-session statistics to Code Card. Before running it, review the Code Card CLI and privacy terms, avoid exposing the local API key in logs, consider pinning a package version instead of using `latest`, and add the cron jobs only if you want ongoing automatic syncs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the user to sync AI coding session data to an external third-party service, but it does not provide a clear privacy warning about what data is transmitted, how much history is uploaded, or the consequences of linking accounts. Because the setup and sync commands are presented as routine actions, users may disclose sensitive coding metadata or session-derived information without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal