Security audit

Code Reviewer

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward code-review skill that asks the agent to inspect user-supplied code, diffs, or PRs without hidden install steps or persistence.

Install if you are comfortable having the agent review code you provide or direct it to access. Avoid using it on private repositories, secrets, credentials, regulated data, or proprietary code unless your organization permits that review path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly supports reviewing a GitHub PR URL or running `git diff`, which can expose proprietary source code, secrets in diffs, or private repository contents to the reviewing agent without any explicit privacy, consent, or data-handling warning. In a code-review skill, users are especially likely to submit sensitive code, so omission of clear safeguards increases the risk of unintended disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.