Back to skill

Security audit

Deep Coding

Security checks across malware telemetry and agentic risk

Overview

This is a coherent multi-agent coding skill, but its local dashboard has under-scoped file and log exposure risks that users should review before installing.

Install only in a dedicated, trusted project workspace. Do not run the dashboard from a directory containing API keys, credentials, private logs, or unrelated projects. Keep it bound to localhost, review or fix the /api/logs path handling before use, and be aware that generated code and reviewer tests will execute local commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill directs the operator to use file reads and start a local HTTP server, but it does not declare permissions or clearly scope those capabilities in a machine-enforceable way. In a multi-agent coding workflow that reads project files, logs, requests, and serves dashboard data, missing permission declarations can lead to overbroad access and reduce the platform's ability to warn users or sandbox risky behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The stated purpose is a coding orchestration skill, but the instructions also introduce a dashboard server that scans the filesystem, reads project-state and log files, and exposes them over HTTP routes. That mismatch is security-relevant because users may invoke the skill expecting coordination logic, while also enabling an auxiliary data-serving component that can expose secrets, source code metadata, prompts, or logs if sensitive files exist in the workspace or if localhost access is bridged or misconfigured.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The dashboard renders agent-controlled markdown via `v-html="renderMarkdown(...)"`, and `markdown-it` is instantiated without any visible sanitization step. If agent feedback or handoff content contains raw HTML or dangerous links, it can execute script-capable payloads in the operator's browser, turning untrusted project data into active content.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The orchestrator is instructed to start local HTTP servers, track PIDs, and kill processes as part of delivery and cleanup, which expands its authority beyond task decomposition and scheduling. Even if intended for convenience, these operational capabilities can be abused to launch unintended services, interfere with other local processes, or create persistence/availability risks on the host running the agent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.