blog-polish-enus-images

Security checks across malware telemetry and agentic risk

Overview

The skill is a code-review helper, but its bundled script defaults to broad unsandboxed review execution and can automatically involve other reviewer tools.

Install only if you trust this maintainer workflow with your repository. Prefer running the helper with `--no-yolo` or `AUTOREVIEW_YOLO=0`, disable automatic fallback reviewers if your diff is private, and review any auto-run test/static-check behavior before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The skill reads from and writes to local filesystem locations automatically, but the user-facing instructions do not clearly warn that local data will be modified and persisted. In an agent setting, silent file creation/overwrite behavior can surprise users, cause unintended data exposure through later workflows, or alter local content without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal