Security audit

coding-framework

Security checks across malware telemetry and agentic risk

Overview

This coding workflow skill is mostly coherent, but it gives broad agent and command-execution authority with limited scoping, so users should review it carefully before installing.

Install only if you want a broad coding framework that can route tasks to multiple agents, run command-capable specialist agents, and keep local workflow state/logs. Avoid using it on repositories containing secrets unless you are comfortable with full file contents being passed into review tasks, and prefer disabling or constraining exec for review-only agents if your environment supports that.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults

Findings (21)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill references multiple files and scripts to be read and executed as part of its workflow, but it does not declare permissions for those capabilities. This creates a mismatch between the apparent behavior and the stated permission model, which can bypass user expectations and make unauthorized file access harder to audit.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The agent is described as a read-only code reviewer operating under a 'least privilege' model, but it is granted the exec tool anyway. That creates an unnecessary capability to run shell commands, which expands the attack surface and can enable command execution if prompts, reviewed code, or surrounding workflows are manipulated into using the tool.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The agent is described as a static performance-analysis reviewer, but it is granted the exec tool, which enables command execution beyond its stated purpose. That expands the attack surface significantly: prompt-injected code or repository content could induce shell execution, file modification, data exfiltration, or unintended runtime behavior under the guise of analysis.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The prompt explicitly says analysis is limited to static review and does not perform runtime testing, yet the available tools still permit execution. This mismatch is dangerous because operational capability overrides documentation; users or orchestrators may trust the textual constraint while the agent remains technically able to run commands if manipulated or misrouted.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The agent is described as a security auditor focused on reading, scanning, and reporting, yet it is granted `exec`, which expands it from passive analysis into active command execution. That violates least privilege and creates a path for prompt-driven shell actions, especially risky because the prompt discusses security testing and could be steered into running local commands during an audit.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The prompt says the agent must not perform offensive operations, but the available tools still include unrestricted command execution. This mismatch is dangerous because policy-only restrictions are weak when the capability remains present; an attacker or ambiguous user prompt may still induce execution despite the written instruction.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The document defines explicit task routing and child-agent spawning via `sessions_spawn`, which materially expands the skill from a simple programming framework into a dispatcher for subordinate agents with inherited context and prompts. This increases attack surface because unsafe routing, prompt injection propagation, or untrusted agent definitions in `agents/*.yaml` can cause unintended delegation and broaden tool access beyond what a user may expect.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Multiple agents are granted `exec` access, including reviewer-style roles that primarily analyze code and documentation. Execution capability is dangerous in this context because delegated agents may run repository code, shell commands, or attacker-influenced artifacts during analysis, enabling command execution, data exfiltration, or environment compromise if the surrounding platform does not strongly sandbox subprocesses.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The default trigger '用户要求写代码' is very broad and can activate the skill for many ordinary requests without clear user intent to invoke this framework. In a skill that can spawn agents, read supporting files, and influence execution flow, overbroad activation increases the chance of unintended actions and prompt-scope escalation.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The iteration trigger includes vague conditions such as '优化' and '性能问题', which are common in normal conversation and can unintentionally start a looped workflow. Because this mode initializes controller state and may repeatedly analyze and modify outputs, ambiguous activation increases the risk of unwanted persistence, excessive actions, or uncontrolled workflow expansion.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger examples are very broad, generic architecture-related phrases, which can cause this agent to be invoked in contexts where the user did not explicitly request an architecture review. Unintended invocation can lead to workflow hijacking, noisy or irrelevant analysis, and increased chance that the wrong specialist agent influences decisions in a multi-agent system.

Natural-Language Policy Violations

Medium

Confidence: 82% confidence
Finding: The manifest and system prompt are written entirely in Chinese and require Chinese-formatted behavior without any user opt-in or documented locale restriction. In a general-purpose skill ecosystem, this can create instruction misalignment, reduce user comprehension, and increase the likelihood of incorrect or unsafe downstream actions if users or orchestrators expect another language.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger examples include broad phrases such as '帮我看看这个文件' and '这段代码怎么样', which can match ordinary conversation and invoke the skill unexpectedly. Unintended activation is more dangerous here because the skill has elevated tooling, including exec, so a misfire could grant a more powerful agent control in contexts where the user did not explicitly request it.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrase '这段代码性能怎么样' is broad natural language that could match ordinary conversations and cause unintended invocation of this agent. In a multi-agent framework, over-broad triggering can route sensitive code or tasks to an agent with stronger-than-necessary capabilities, especially problematic here because the agent also has exec permission.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad, common requests such as '安全检查' and '这段代码安全吗', which can cause the skill to activate in routine conversations where the user did not intend to invoke this specific high-capability auditor. Because the skill has `exec`, unintended invocation increases the chance of unnecessary code access or command execution in unrelated contexts.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list includes short, common phrases such as '写测试', 'unit test', and '补充测试' that are broad enough to activate the skill in contexts where the user may not explicitly want this specialized agent. In an agent-routing system, overbroad activation can cause unintended tool access and workflow execution, which is more concerning here because the agent is permitted to use exec.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script reads complete file contents and embeds them into task payloads for downstream review agents without any explicit consent, warning, minimization, or sensitivity filtering. In an agent-skill context, this materially increases the risk of unintentional disclosure of source code, secrets, or regulated data to other components or external review backends.

Credential Access

High

Category: Privilege Escalation
Content: 9. **敏感数据传输** (high) — scp .ssh/.env, curl -d password 10. **代码执行风险** (high) — eval(拼接), exec(拼接), subprocess shell=True 11. **敏感信息泄露** (high) — 硬编码 API key, Bearer token 12. **路径遍历** (high) — ../../, %2e%2e, /etc/passwd ### 注入攻击（13-15）
Confidence: 18% confidence
Finding: /etc/passwd

Credential Access

High

Category: Privilege Escalation
Content: AGENT_SELECTION_RULES = { "security-auditor": { "patterns": [r"password", r"secret", r"token", r"auth", r"login", r"encrypt", r"credential"], "extensions": [".env", ".pem", ".key", ".cert"], "keywords": ["security", "安全", "漏洞", "audit"], }, "test-engineer": {
Confidence: 60% confidence
Finding: .env"

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ### 系统安全（1-8） 1. **危险命令** (critical) — rm -rf /, format, diskpart, mkfs 2. **注册表操作** (critical) — reg add/delete, Set-ItemProperty HKLM 3. **账户管理** (critical) — net user, useradd, Add-LocalGroupMember 4. **服务管理** (high) — sc delete/config, systemctl, net start/stop
Confidence: 27% confidence
Finding: rm -rf /

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ### 系统安全（1-8） 1. **危险命令** (critical) — rm -rf /, format, diskpart, mkfs 2. **注册表操作** (critical) — reg add/delete, Set-ItemProperty HKLM 3. **账户管理** (critical) — net user, useradd, Add-LocalGroupMember 4. **服务管理** (high) — sc delete/config, systemctl, net start/stop
Confidence: 26% confidence
Finding: rm -rf /

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.