Back to skill

Security audit

GoTo CodeDev Manager

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed coding-orchestration skill, but it requests broad local command, workspace-editing, and database-migration authority with some scoping gaps users should review before installing.

Install only for repositories and databases you trust. Review the configured workspaces, adapter commands, and TEST_DB_CONNECTION values before use; require explicit confirmation for coding tasks, migrations, database updates, and commits, and avoid using it on untrusted repos where build or test commands may execute arbitrary project code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
args = command if self._shell else shlex.split(command, posix=False)
        start = time.monotonic()
        try:
            result = subprocess.run(
                args,
                shell=self._shell,
                cwd=cwd,
Confidence
91% confidence
Finding
result = subprocess.run( args, shell=self._shell, cwd=cwd, capture_output=True, text=True, t

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares powerful operational capabilities such as reading and writing files, accessing environment data, and invoking shell-backed build/test/migration flows, but it does not expose an explicit permissions model in the manifest. That mismatch can cause the platform or users to underestimate what the skill can do, increasing the chance of unintended code execution, workspace modification, or secret exposure when the skill is invoked.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The docstring states that database updates must always pass an explicit --connection to avoid falling back to a project-default connection that could point to production, but the implementation silently omits --connection when test_db_connection is unset. In this skill's context of orchestrating EF Core migrations and database change workflows across multiple IDE/agent environments, that mismatch can cause accidental execution against the wrong database, including production, leading to destructive schema changes or data loss.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Trigger phrases like '代码开发', '开发任务', and '写代码' are broad everyday requests that may activate this high-privilege orchestration skill in contexts where the user did not intend shell execution, workspace inspection, or agent delegation. Because this skill can open workspaces, run tests/builds, and dispatch coding tasks, accidental invocation materially increases the chance of unintended actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Keywords in this range such as product and tool names plus generic terms like 'Git Diff', '代码变更', '跑测试', and '开发报告' are ambiguous and may match ordinary discussion rather than a deliberate request to invoke a privileged multi-agent coding skill. In this context, accidental activation is more dangerous because the skill is designed to interact with local projects and execute development tooling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This adapter invokes an external coding agent with `--permission-mode acceptEdits`, explicitly allowing it to write changes into the workspace, but the file contains no user-facing warning, confirmation, or disclosure at the point of execution. In a skill whose purpose is to orchestrate autonomous coding agents across repositories, silent write-capable subprocess execution increases the risk of unintended, destructive, or security-relevant modifications being made without clear operator awareness.

Missing User Warnings

High
Confidence
83% confidence
Finding
This method forwards the full user prompt to a configured external CLI, which may be a third-party agent or IDE integration. In a multi-agent orchestration skill, prompts can contain proprietary code, credentials, internal instructions, or sensitive business context, so sending them to an externally configured tool without explicit trust validation or user consent creates a real data exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The adapter reads `.vscode/tasks.json` from the workspace and directly executes the task's `command` and `args` via the executor without validation, trust checks, or any user-facing confirmation. Because the workspace is potentially untrusted and this skill is explicitly designed to orchestrate development tasks across repositories, opening or operating on a malicious repo could cause arbitrary command execution on the host.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The task file defines broad, high-impact workflows that can be triggered by task name and template parameters, but it does not constrain when they should run, what repositories or environments are allowed, or what preconditions must be satisfied. In a multi-agent code-development orchestration context, this increases the chance of unintended execution of code modification, migration generation, local database updates, or report generation from ambiguous or weakly scoped prompts.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyyaml>=6.0.1
python-dotenv>=1.0.0
pydantic>=2.5.0
jinja2>=3.1.2
Confidence
95% confidence
Finding
pyyaml>=6.0.1

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyyaml>=6.0.1
python-dotenv>=1.0.0
pydantic>=2.5.0
jinja2>=3.1.2
structlog>=23.0.0
Confidence
98% confidence
Finding
python-dotenv>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyyaml>=6.0.1
python-dotenv>=1.0.0
pydantic>=2.5.0
jinja2>=3.1.2
structlog>=23.0.0
pytest>=7.4.0
Confidence
93% confidence
Finding
pydantic>=2.5.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyyaml>=6.0.1
python-dotenv>=1.0.0
pydantic>=2.5.0
jinja2>=3.1.2
structlog>=23.0.0
pytest>=7.4.0
pytest-mock>=3.12.0
Confidence
99% confidence
Finding
jinja2>=3.1.2

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv>=1.0.0
pydantic>=2.5.0
jinja2>=3.1.2
structlog>=23.0.0
pytest>=7.4.0
pytest-mock>=3.12.0
Confidence
92% confidence
Finding
structlog>=23.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pydantic>=2.5.0
jinja2>=3.1.2
structlog>=23.0.0
pytest>=7.4.0
pytest-mock>=3.12.0
Confidence
98% confidence
Finding
pytest>=7.4.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
jinja2>=3.1.2
structlog>=23.0.0
pytest>=7.4.0
pytest-mock>=3.12.0
Confidence
90% confidence
Finding
pytest-mock>=3.12.0

Known Vulnerable Dependency: python-dotenv==1.0.0 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
88% confidence
Finding
python-dotenv==1.0.0

Known Vulnerable Dependency: jinja2==3.1.2 — 10 advisory(ies): CVE-2025-27516 (Jinja2 vulnerable to sandbox breakout through attr filter selecting format metho); CVE-2024-56201 (Jinja has a sandbox breakout through malicious filenames); CVE-2024-22195 (Jinja vulnerable to HTML attribute injection when passing user input as keys to ) +7 more

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
jinja2==3.1.2

Known Vulnerable Dependency: pytest==7.4.0 — 2 advisory(ies): CVE-2025-71176 (pytest has vulnerable tmpdir handling); CVE-2025-71176 (pytest has vulnerable tmpdir handling)

High
Category
Supply Chain
Confidence
94% confidence
Finding
pytest==7.4.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.