Back to skill

Security audit

Test Coverage Diff / 测试覆盖率差异分析

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only testing workflow skill with no install script or bundled executable behavior.

Before installing, note that this skill appears to document or invoke an external test-coverage-diff tool rather than provide it. Review that external tool separately before using it on private repositories or enabling CI annotations or PR-blocking gates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill markets CI behavior that can block pull requests based on automated coverage analysis, but it does not include guardrails such as opt-in setup, reviewer override guidance, failure-mode handling, or warnings about workflow disruption. In a developer tooling context, automating merge-blocking decisions without clear safeguards can cause denial of workflow, noisy false positives, and overreliance on unreviewed automation in security- or quality-sensitive pipelines.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises direct CI injection and automated review annotations, which implies modifying automated development workflow behavior, but it provides no warning about authorization boundaries, repository policy impact, or the risk of incorrect automated actions. In this context, that omission is risky because users may enable automation that affects code review outcomes or pipeline behavior without understanding the operational and governance consequences.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.