Back to skill

Security audit

Code Review

Security checks across malware telemetry and agentic risk

Overview

This skill sends code or a user-selected file to LogicArt for code review, which matches its stated purpose but can expose private source code.

Install only if you are comfortable sending reviewed code to LogicArt. Avoid using it on secrets, credentials, private customer data, or proprietary code unless you trust that service and its data-handling practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases are broad enough to match many normal user requests about reviewing or analyzing code, which can cause this skill to activate unexpectedly. Because the skill routes code to an external service, overbroad triggering increases the chance that sensitive source code is sent off-platform without the user clearly intending that behavior.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation explicitly instructs sending user-provided code to a third-party API but gives no warning about data transmission, retention, confidentiality, or privacy implications. In a code-review context, submitted code may contain proprietary source, secrets, internal logic, or customer data, so silent exfiltration to an external service creates a significant confidentiality risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script reads arbitrary local file contents and sends them to a third-party remote API, but it provides no explicit warning, confirmation, or disclosure at runtime that file contents will leave the local environment. In a code-review skill, users may pass proprietary source, secrets, credentials, or internal codebases, so silent exfiltration to an external service creates a real confidentiality risk even if it is part of the intended feature.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.