Back to skill

Security audit

Phy Path Traversal Audit

Security checks across malware telemetry and agentic risk

Overview

This is a local code-scanning helper with no hidden install, network, credential, persistence, or destructive behavior, but its embedded script appears broken as written.

Install only if you want a local source-code audit helper, and verify or fix the embedded Python before relying on its results. It should not need credentials, network access, background services, or broad system access beyond the repository you ask it to scan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The embedded Python implementation initializes the PATTERNS dictionary using _build_js_path_patterns() before that function is defined, which would raise a NameError at import/runtime and prevent the scanner from running. In a security tool, this fail-open operational break is dangerous because users may believe path traversal checks are being performed when the audit script actually crashes or never executes successfully.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.