小龙虾

Security checks across malware telemetry and agentic risk

Overview

This coding assistant appears useful, but it handles user code and conversation history in ways that need careful review before installation.

Review this skill before installing. Treat it as a remote coding assistant that may send your prompts and previous conversation context to an external provider and keep local history on disk. Avoid pasting secrets or proprietary code unless you trust the provider and retention model, and use save/export only after checking the exact destination paths and included files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The documented '保存到文件' behavior enables modification of the local filesystem, which is a sensitive side effect not inherently required for answering coding questions. In a programming assistant context this can be legitimate, but without clear constraints, confirmation, or path restrictions it raises the risk of unintended overwrites or writing sensitive content to disk.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: The documented export/packaging capability can aggregate generated code artifacts and write them to user-specified locations, increasing the blast radius beyond a normal chat assistant response. In the coding-assistant context this is somewhat expected, but it becomes risky if prior outputs contain secrets, proprietary code, or unsafe paths and no confirmation or scoping is enforced.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill transmits user prompts and full conversation history to an external Volcengine/DeepSeek API without disclosure in the skill description or runtime warning. Users may paste proprietary code, secrets, or sensitive debugging data, causing unintended third-party disclosure and retention outside the local environment.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The --save path accepts a user-supplied filename and joins it directly with the skill directory using Path semantics, allowing absolute paths or traversal-like targets to escape the intended directory. If invoked in a higher-privilege context, this can overwrite arbitrary user-accessible files and turn model output into a file-write primitive.

Vague Triggers

High

Confidence: 91% confidence
Finding: The trigger phrases are broad everyday terms such as '编程', 'debug', and '代码助手', making accidental activation likely in normal conversation. Because this skill also documents persistence, file writing, and external API use, overbroad activation increases the chance that unrelated or sensitive user content is processed, stored, or transmitted without meaningful intent.

Vague Triggers

High

Confidence: 93% confidence
Finding: Single-word activators like '审查', '测试', 'SQL', 'API', and '架构' are highly ambiguous and can match ordinary discussion rather than a deliberate request to invoke the skill. In this skill's context, ambiguous activation is especially risky because the assistant may transition into behaviors that handle code, history, and potential file operations without clear user consent.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill describes saving generated code to files but does not warn users that this modifies local data or may overwrite existing files. Absent an explicit warning and confirmation, users may trigger disk writes unintentionally, which is hazardous when generated content could contain mistakes, secrets, or paths chosen implicitly.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The export command is documented without explaining that packaging/exporting code can expose previously generated artifacts, including potentially sensitive snippets from earlier interactions. Without a warning, users may not realize that export can aggregate more content than the latest response and place it in a shareable or discoverable location.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases listed in the description are extremely broad and map to common software-development requests such as coding, debugging, review, and optimization. This creates a high likelihood of accidental invocation or routing overlap with normal user intents, which can cause the skill to activate outside a narrowly scoped context and potentially expose users to unintended behavior.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The code sends the entire message history to a remote API with no user-facing warning, consent flow, or sensitivity check. In a coding assistant context, that history can include source code, credentials, internal paths, stack traces, and other confidential material, making silent exfiltration particularly risky.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Conversation history is automatically written to local files under the user's home directory without notice, which can leave sensitive prompts, code, and debugging content at rest on disk. On shared systems or compromised endpoints, these files become an easy source of confidential information leakage.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal