ClawHub
Back to skill

Security audit

Phy Code Smell

Security checks across malware telemetry and agentic risk

Overview

This is a local code-quality scanner that reads project source files to report code smells, with no evidence of network access, persistence, credential use, or destructive behavior.

Install only if you want a local static code-smell analyzer. Run it from the intended repository or provide a narrow --root path, because it recursively reads supported source files under that root and reports snippets, paths, and line-level findings in the output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrase "Review my codebase for code smells" is broad enough to match ordinary user requests that do not explicitly invoke this skill, which can cause unintended activation. In an agent ecosystem, ambiguous triggers can hijack routing and cause the wrong tool to inspect large codebases or override more appropriate skills, creating integrity and privacy risks.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The phrase "Code quality audit before the refactoring sprint" is conversational and underspecified, making accidental activation plausible in normal planning or discussion contexts. In multi-skill agents, this can lead to misrouting, unnecessary repository scanning, and disclosure of source snippets to a skill the user did not intentionally select.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The phrase "Show me the worst-smelling files in this project" is a generic request that overlaps with common developer language, so it may spuriously trigger this skill. Because the skill recursively walks files under a root path, unintended activation increases the chance of scanning sensitive repositories or consuming resources without clear user intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.