Back to skill

Security audit

LogicArt Code Review

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward LogicArt code-review helper, but it uploads code or chosen file contents to LogicArt, so sensitive material should not be submitted unless sharing is approved.

Install only if you are comfortable using LogicArt as a third-party code-analysis service. Do not use it on secrets, private keys, credentials, regulated data, or proprietary code unless you are authorized to send that material to LogicArt.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad enough to match common user requests like 'analyze code' or 'find bugs', which can cause the skill to activate in many contexts without clear user intent to use this specific external service. In this skill, that broad activation is more concerning because the skill also routes code to a third-party API, increasing the chance of unintended data disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill clearly instructs sending user-provided code to an external API but does not provide a prominent warning about data transmission, retention, or privacy implications. Because code review requests often involve proprietary source, secrets, or internal logic, this omission can lead to accidental exfiltration of sensitive material to a third party.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits arbitrary source code read from --code or --file to a third-party endpoint at logic.art, but provides no explicit warning, consent prompt, redaction, or trust boundary disclosure at the point of exfiltration. In a code-review skill, users may pass proprietary code, secrets, credentials, or internal logic, so silent transmission to an external service creates a real confidentiality and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.