Back to skill

Security audit

Receiving Code Review

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent code-review workflow guide with one GitHub reply note that is relevant but should be used with normal posting caution.

Before installing, understand that this skill will influence how the agent handles code review feedback and may guide it to reply in GitHub review threads if you ask it to reply. Review any externally posted comment before sending, especially on public or shared repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The GitHub API reply instruction expands the skill from passive review-evaluation guidance into taking an external action on a third-party service. That creates a capability boundary issue: an agent following this skill could post comments or replies without an explicit, situational user confirmation step, which is risky because review-thread communication is externally visible and potentially irreversible.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.