Review

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent PR review skill, but it can directly edit code during a review without a separate approval step.

Install only if you want a review skill that may change your working tree, not just report findings. Use it on a clean branch, inspect the resulting git diff before committing or pushing, verify the referenced checklist files are present and trusted, and decline the optional Codex/browser review unless sharing the relevant plan or code context is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill is presented as a pre-landing review tool, but its instructions require directly modifying the repository by auto-fixing findings. That creates a capability/expectation mismatch: a user invoking a 'review' may reasonably expect analysis and recommendations, not code changes, which can lead to unauthorized or surprising modifications in sensitive code paths.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The optional Codex/browser workflow introduces an external review path that is broader than a local diff review skill's core purpose. Even though it asks the user first, it expands the trust boundary and can expose plan/code context to another tool or service unnecessarily, increasing data handling and tool misuse risk.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The document repeatedly frames the workflow as analysis of a diff, but later mandates 'fix-first' modification behavior. This inconsistency can mislead users and higher-level orchestrators about the skill's side effects, causing accidental write operations where only assessment was intended.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger phrases are broad and map to very common requests such as 'code review' or 'check my diff,' which increases the chance of unintended invocation. In this skill, unintended invocation is more dangerous because the workflow includes repository reads, optional external tooling, and automatic code modification.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs automatic modification of user code, but the top-level description advertises it as an analysis/review tool and does not prominently warn about write side effects. This undermines informed user consent and can lead to silent or unexpected code changes during what appears to be a read-only review operation.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal