Back to skill

Security audit

Codebase Inspection

Security checks across malware telemetry and agentic risk

Overview

The main tool is a local code metrics reporter, but a bundled CI verifier can automatically run Python files from a target folder, so it should be reviewed before use.

Use the codebase_inspector.py metrics tool only on directories you are comfortable letting it read, and choose report or snapshot output paths deliberately. Do not run ci/verify_product.py against untrusted repositories or submissions unless it is inside a disposable sandbox with no secrets and limited filesystem and network access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def has_self_test(fp):
    r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)
    return r.returncode == 0 and "PASS" in r.stdout
Confidence
98% confidence
Finding
r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
all_ok &= axis(False, "frontmatter (no SKILL.md)")
        all_ok &= axis(False, "docs (no SKILL.md)")
    # 3 compiles
    comp_ok = all(subprocess.run([sys.executable, "-m", "py_compile", fp],
                                capture_output=True).returncode == 0 for fp in files)
    all_ok &= axis(comp_ok, "compiles (py_compile all .py)")
    # 4 self-test (any of 3 valid forms)
Confidence
96% confidence
Finding
comp_ok = all(subprocess.run([sys.executable, "-m", "py_compile", fp], capture_output=True).returncode == 0 for fp in files)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
tests = [os.path.join(folder, f) for f in os.listdir(folder)
                 if (f.startswith("test_") or f.endswith("_test.py")) and f.endswith(".py")]
        if tests:
            st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True,
                                      timeout=30).returncode == 0 for t in tests)
            st_note = f"{len(tests)} test_*.py"
        elif re.search(r"(?im)^test\s*:", skill_txt):
Confidence
99% confidence
Finding
st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True, timeout=30).returncode == 0 for t in tests)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises and instructs use of capabilities that imply file reads, file writes, shell execution, and network access, but it does not declare any permissions or safety boundaries. This creates a trust gap for agents or platforms that rely on explicit permission manifests, increasing the risk of unexpected filesystem access, command execution, or remote retrieval without informed approval.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The file is framed as a verification/checking harness, but it executes product code via `self-test`, which violates the expectation of passive analysis. This mismatch increases risk because operators may run it on untrusted submissions believing it only inspects files, enabling stealthy code execution.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The harness auto-discovers and runs test files from the inspected product, adding untrusted code execution beyond simple verification. Because this behavior is implicit, it can surprise users and CI maintainers and be abused by malicious submissions to run payloads under verification credentials.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.