Code Mirror

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only coding helper that reads project code to generate matching frontend or backend code, with no evidence of hidden execution, exfiltration, or persistence.

Reasonable to install if you want help generating matching frontend and backend code. Review generated CRUD, authentication, and validation code before applying it, because the skill may read project files to infer stack details and can generate routes that create, update, or delete application data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The skill description is broadly scoped ('mirror frontend and backend code across the stack' and 'scaffold full-stack features from one side'), which can cause the agent to activate on many ordinary coding prompts that are not actually requesting this capability. Over-broad activation increases the chance the skill reads unrelated workspace files or generates code changes in contexts the user did not intend, expanding attack surface and enabling prompt-routing abuse.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The trigger list includes vague everyday terms such as 'mirror' and 'bridge' without requiring stack-specific context, making accidental or adversarial invocation more likely. In an agent environment, ambiguous triggers can be exploited to route unrelated requests into a skill that inspects project files and emits broad code changes.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal