Security audit

trae-agent

Security checks across malware telemetry and agentic risk

Overview

This is a broad repository coding-assistant skill whose editing, indexing, and command-validation behavior is disclosed and aligned with its purpose, but it should be used with normal code-review caution.

Install this only if you want a powerful repository-level coding assistant. Keep requests narrow, use version control, review diffs before accepting changes, and avoid running validation commands on untrusted repositories unless isolated or sandboxed. Exclude secrets and private files from any repository indexing workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The invocation description is extremely broad and overlaps with generic repository analysis, coding, refactoring, and code execution requests. That makes the skill likely to activate for common development tasks and potentially perform high-impact actions without clear user intent boundaries, increasing the chance of unintended repository access or modification.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly advertises natural-language-to-code execution and multi-file modification but does not warn about the operational impact of executing code or altering a repository. In a repository agent context, this increases the risk of unintended command execution, unsafe edits, and user surprise around destructive or irreversible changes.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The technical stack lists Docker sandbox, Jupyter, and Bash execution capabilities without any safety guidance, approval requirements, or restrictions. Even when sandboxed, shell-capable tooling can run harmful commands, exfiltrate data, consume resources, or alter project state if users are not clearly warned and execution is not tightly gated.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Listing deletion as a standard task type without warning or safeguards normalizes destructive repository operations. In a repo-wide agent, users may trigger deletions unintentionally or without understanding dependency impact, leading to data loss, broken builds, or difficult recovery.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The example depicts the agent automatically applying edits, rolling them back, and trying alternatives without any explicit user approval or safety gate. In a repository-level code agent, normalized examples strongly influence implementations and operator expectations, so this pattern can lead to unauthorized code changes, destructive modifications, or repeated unsafe edit attempts across many files.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The example includes direct execution of local commands such as TypeScript compilation, linting, and tests without warning, sandboxing, or confirmation. In the context of a code agent that operates on arbitrary repositories, commands like 'npm test' or 'npm run lint' can execute attacker-controlled scripts from package metadata, enabling arbitrary code execution on the host.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.