Code Inspector

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a local code scanner, but its security claims are broader than what the code actually checks and it can silently skip files.

Treat this as a lightweight heuristic scanner, not a production security gate. It may be useful for finding some code smells, but do not rely on a clean result for eval/exec safety, unused imports, or full directory coverage unless the implementation is fixed and skipped-file reporting is added.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The skill claims to detect specific high-value issues such as unsafe eval and unused imports, but the finding states those checks are not actually implemented while other undeclared analyses are performed instead. This creates a false sense of security: users may trust a clean report and deploy code that still contains critical vulnerabilities the tool promised to catch.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The recursive scan wraps each file inspection in a broad `except Exception: pass`, which silently drops all parsing, permission, encoding, and detector failures. In a security/code-inspection skill, this is dangerous because problematic files can be skipped without any signal, producing incomplete results and giving users false confidence that a directory was fully inspected.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal