Back to skill

Security audit

Auto Bug Finder

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Solidity audit helper, but it can automatically rewrite smart-contract files and gives stronger safety assurances than the artifacts justify.

Install only if you intend to run an auto-fixing Solidity audit tool on a disposable branch or copy. Review the hardcoded AgentEscrow paths and computed project directory before running, inspect every generated diff manually, and do not treat the final report's production-ready language as an independent audit signoff.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The script emits a strong security assurance ('production-ready from a security perspective') even when unresolved Medium findings may remain. In a security automation context, false assurances are dangerous because they can directly influence deployment decisions and cause vulnerable smart contracts to be shipped with known unresolved risk.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill explicitly states that it generates patches and writes reports into the project directory, but the description does not present this behavior as a caution or side effect that could modify a user's workspace. In a security-sensitive automation skill, undisclosed file writes and patch generation can lead to unexpected repository changes, accidental overwrites, or unreviewed code modifications being trusted as audit output.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically overwrites the Solidity contract source after generating patches, without an approval prompt, dry-run default, or explicit user confirmation. In an agent/automation setting, silent source mutation is risky because it can introduce insecure changes, corrupt reviewed code, or commit unintended modifications that are later trusted as tool-validated fixes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
auto-bug-finder.js:39