AI Auto Dev

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it asks an AI coding agent to run with unrestricted access, bypass confirmations, keep persistent logs, and push code to GitHub automatically.

Install only if you are comfortable with an AI Builder changing files, running commands, writing persistent logs, and potentially pushing to GitHub automatically. Use it in a tightly scoped or disposable project, keep approvals enabled where possible, review specs and diffs before execution, and disable or manually gate commit/tag/push behavior unless you explicitly want automatic remote synchronization.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill's advertised scope says documentation is only staged, but the workflow later instructs automatic updates to project documentation and remote GitHub synchronization. This creates a capability mismatch that can mislead users about what the skill will modify and enables unexpected persistent and remote side effects.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Automatic commit/tag/push to a remote repository is a high-risk action unrelated to the minimum necessary capability for local code generation and verification. If triggered on sensitive or unreviewed changes, it can exfiltrate code, secrets, or internal history to remote infrastructure without the user's informed approval.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The skill claims formal documents are read-only and only staging files are written, yet elsewhere it directs automatic edits to README/CHANGELOG and baseline or experiment files. Contradictory safety boundaries increase the chance of unauthorized writes because users and orchestrators may rely on the stricter claim while the implementation does more.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill directs reading and writing user-level files under home-directory locations outside the project workspace for memory, baselines, and experiment tracking. That exceeds the stated task scope and creates unnecessary access to unrelated local data, increasing the risk of privacy leakage, persistence of sensitive content, and cross-project contamination.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The workflow mandates automatic commit, tagging, and push without an explicit user warning or confirmation immediately before those actions. Those operations are irreversible or externally visible and can publish sensitive changes, trigger CI/CD, or alter release state without meaningful human review.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill requires danger-full-access and broad command execution as a prerequisite, but does not pair that elevation with proportional safety controls, command restrictions, or strong user-facing warnings. In that mode, any prompt misinterpretation or malicious downstream instruction can directly modify the filesystem, invoke package managers, and affect the host environment.

Ssd 4

Medium

Confidence: 95% confidence
Finding: The warmup step is explicitly designed to establish trust so later background Bash tasks can run with fewer confirmations. That is a consent-bypass pattern: it conditions the environment to reduce future friction on privileged actions rather than obtaining approval for each meaningful operation.

Ssd 3

Medium

Confidence: 90% confidence
Finding: Automatically reading and displaying prior progress files and logs can expose contents from interrupted sessions into a new conversation without fresh authorization. Those files may contain paths, prompts, outputs, or operational details that are unrelated to the current user's immediate request.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The archive-staging and delivery flow requires preserving broad work logs and 'all worth-recording content,' then inlining that material in the chat. This creates a general-purpose retention and disclosure mechanism that can capture secrets, proprietary code details, or sensitive reasoning beyond what is necessary to deliver the task result.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The memory-protection protocol mandates immediate persistence of task inputs, results, decisions, and notes to local files, creating broad natural-language logging across sessions. This increases privacy and data-governance risk because sensitive user content is copied into durable storage without minimization, retention limits, or explicit consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal