Back to skill

Security audit

Super Deep Coding

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed multi-agent coding workflow, but it combines broad local code execution, agent spawning, a file-serving dashboard, and unsafe dashboard rendering in ways users should review before installing.

Install only in a workspace where running generated code, spawning agents, and exposing project files on localhost are acceptable. Do not use it on repositories containing secrets unless you isolate them first, and consider fixing the dashboard markdown sanitization and narrowing the server file allowlist before using it with untrusted agents or project content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill directs the agent to read project files, inspect logs, and operate a local HTTP server, but it does not declare corresponding permissions or capabilities. This creates a transparency and policy-enforcement gap: users or platforms may approve the skill expecting a narrower trust boundary, while the workflow still causes file access and network exposure on localhost.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The stated purpose emphasizes multi-agent coding, but the skill also provisions and operates a local dashboard server that scans the workspace, serves project artifacts, and exposes logs and metadata via HTTP endpoints. That mismatch is dangerous because users may invoke the skill for coding assistance without realizing it also creates a data-serving surface that can expose sensitive source files, request contents, and logs from the project directory.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The dashboard renders agent-provided content with `v-html` after passing it through `markdown-it`, but `markdown-it()` is initialized with default HTML support and no sanitization step. Because review feedback and handoff summaries are loaded from project/agent data, a malicious or compromised agent can inject HTML/JavaScript that executes in the viewer's browser, leading to stored XSS in a privileged monitoring interface.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The server exposes generic file-serving behavior for arbitrary files under BASE_DIR, including '/projects/*' and other root-relative paths, rather than only narrowly scoped dashboard assets and APIs. Even though it binds to localhost and includes a path traversal check, this can still disclose sensitive local project files, logs, archives, or generated artifacts to any local process or user able to connect, which is broader access than the stated skill purpose requires.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The orchestrator instructions explicitly tell the agent to start a local HTTP server and invoke shell commands such as `python3 -m http.server`, `npx serve`, and `curl`. For a coordination skill, this expands behavior from task orchestration into local command execution and network exposure, creating unnecessary attack surface if project contents or paths are adversarial. In this context, the skill processes untrusted project requests, so embedding execution-oriented operational steps is more dangerous than in a narrowly sandboxed testing tool.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation text uses broad triggers such as requests for 'deep coding,' 'multi-agent collaboration,' or 'complex project builds,' which can cause the skill to activate in many loosely related situations. Because this skill includes code execution, agent spawning, filesystem operations, and local serving of project data, overbroad activation increases the chance of surprising or unsafe invocation in contexts where the user did not intend those capabilities.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.