Security audit

代码错误大白话解释器

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed code-error helper that reads local code only for debugging, with no evidence of hidden execution, uploads, or file modification.

Install if you want a beginner-friendly code debugging explainer. Only provide the specific files or snippets needed for the error, avoid sharing secrets such as API keys or passwords in code or logs, and make sure the agent tells you which files it plans to read before local inspection.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes very broad phrases such as “帮忙看代码”, “找出问题”, and “代码有问题”, which can cause the skill to activate in situations where the user did not explicitly consent to local code inspection. In this skill’s context, over-triggering is more dangerous because the workflow explicitly requests file paths and reads local files, increasing the chance of unintended access to sensitive source code.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.