Back to skill

Security audit

Docstring Generator / 文档注释生成

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a docstring-generation description, but it mixes runtime skill content with unrelated affiliate-style advertising and broad repo-editing claims without clear scoping.

Install only if you are comfortable with a skill whose documentation includes unrelated commercial links and vague broad-editing claims. If used, review generated code changes before applying them across a repository and ignore the VPS/trading links as unrelated to the skill’s function.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is presented as a docstring generator, but a substantial portion of the file is used for unrelated upsell and commercial promotion content. In an agent ecosystem, this is dangerous because it can repurpose trust and interface real estate for advertising, affiliate monetization, or social engineering unrelated to the declared capability.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The affiliate-style RackNerd and moomoo links are unrelated to docstring generation and indicate the skill is being used as a vehicle for third-party marketing. This creates social-engineering and trust-abuse risk, since users may click links believing they are endorsed or operationally necessary for the skill.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.