Back to skill

Security audit

Code Archaeology

Security checks across malware telemetry and agentic risk

Overview

This skill is a local code-analysis/document-generation helper; it writes output files as part of its stated workflow and shows no hidden network, credential, destructive, or auto-run behavior.

Install only if you want a local helper that reads existing Code Archaeology results and writes AI Plan Generator context files. Run it in a project workspace, choose a non-sensitive output directory, review generated files before committing or sharing them, and verify any generated business rules or security findings against the actual source code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This script creates directories and writes multiple output files, which exceeds a narrowly stated analysis-only skill scope and introduces side effects on the host filesystem. In an agent environment, such unexpected write capability increases risk because attacker-controlled inputs like outputDir can influence where files are created, enabling unintended persistence or overwriting of files if the wrapper does not constrain paths.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.