Security audit

repair-agent

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only bug-repair skill whose patching and test-running behavior is expected for its stated purpose, but users should review changes before accepting them.

Install this only if you want an agent to help diagnose bugs, propose patches, and run project tests. Use it on repositories you control, keep version-control rollback available, and review diffs before accepting changes, especially in security-sensitive or deployment-related code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly presents itself as an autonomous bug-fixing agent capable of patch generation, validation, and iterative execution feedback, but it does not warn users that it may modify repository files or run tests and related commands that affect the workspace. In an agent setting, this can lead to unexpected code changes, resource consumption, side effects from test execution, or accidental alteration of local state without clear user awareness or consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.