Security audit

prd-impact-analyzer

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only PRD impact analysis skill with disclosed project-file inspection and an optional reviewed-spec code generation workflow, with no evidence of hidden execution or credential misuse.

Install only if you are comfortable letting the agent inspect the specified PRDs and relevant repository files. Keep the optional code-generation step under explicit user control, review generated specs before implementation, and do not grant broad access to secrets or unrelated private repositories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The workflow explicitly includes an optional `spec-to-code-generator` step with `auto_generate: true`, which normalizes repository-modifying behavior without any adjacent safety warning, confirmation gate, or scope restriction. In an agentic environment, this can lead users to invoke automatic code changes assuming the skill is analysis-only, increasing the risk of unintended or over-broad modifications to source code.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.