Dev Factory

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent automated development agent, but it gives AI agents broad command, file, cloud, and publishing authority without enough user approval or containment.

Install only if you are comfortable giving this skill access to run commands, modify project files, use GLM/Claude/Notion/GitHub credentials, and potentially publish generated code. Use private GitHub repos by default, disable auto-publish/daemon health exposure unless needed, run builds in a sandbox with a scrubbed environment, and avoid using it on repositories or prompts that contain secrets or proprietary code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (74)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: return {'success': False, 'output': 'Project not found'} try: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=self.project_path, capture_output=True,
Confidence: 88% confidence
Finding: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=self.project_path, capture_output=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: return {'success': False, 'output': 'Project path does not exist'} try: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=self.project_path, capture_output=True,
Confidence: 91% confidence
Finding: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=self.project_path, capture_output=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """ try: result = subprocess.run([ 'claude', '-p', prompt, '--allowedTools', 'Edit,Write,Bash' ], cwd=str(project_path), capture_output=True, text=True,
Confidence: 96% confidence
Finding: result = subprocess.run([ 'claude', '-p', prompt, '--allowedTools', 'Edit,Write,Bash' ], cwd=str(project_path), capture_output=True, text=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # agent-browser로 GitHub Trending 접근 subprocess.run([ 'agent-browser', 'open', f'https://github.com/trending/{self.language}?since=daily' ], capture_output=True, timeout=30, check=False)
Confidence: 82% confidence
Finding: subprocess.run([ 'agent-browser', 'open', f'https://github.com/trending/{self.language}?since=daily' ], capture_output=True, timeout=30, check=F

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def _push_to_github(self, project_path: Path, repo_url: str): """GitHub로 push""" subprocess.run(['git', 'remote', 'add', 'origin', repo_url], cwd=str(project_path), capture_output=True) subprocess.run(['git', 'push', '-u', 'origin', 'main'], cwd=str(project_path), capture_output=True)
Confidence: 77% confidence
Finding: subprocess.run(['git', 'remote', 'add', 'origin', repo_url], cwd=str(project_path), capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """GitHub로 push""" subprocess.run(['git', 'remote', 'add', 'origin', repo_url], cwd=str(project_path), capture_output=True) subprocess.run(['git', 'push', '-u', 'origin', 'main'], cwd=str(project_path), capture_output=True) def _create_release(self, project_path: Path, title: str, description: str):
Confidence: 83% confidence
Finding: subprocess.run(['git', 'push', '-u', 'origin', 'main'], cwd=str(project_path), capture_output=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: prompt = self._generate_development_prompt(project) try: result = subprocess.run([ 'claude', '-p', prompt, '--output-format', 'json', '--allowedTools', 'Edit,Write,Bash'
Confidence: 94% confidence
Finding: result = subprocess.run([ 'claude', '-p', prompt, '--output-format', 'json', '--allowedTools', 'Edit,Write,Bash' ], cwd=str(proj

subprocess module call

Medium

Category: Dangerous Code Execution
Content: After fixing, run tests to verify.""" try: result = subprocess.run([ 'claude', '-p', prompt ], cwd=str(project_path), capture_output=True, text=True, timeout=120, env={**os.environ,
Confidence: 89% confidence
Finding: result = subprocess.run([ 'claude', '-p', prompt ], cwd=str(project_path), capture_output=True, text=True, timeout=120, env={**os.environ,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: import os try: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=str(project_path), capture_output=True,
Confidence: 92% confidence
Finding: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=str(project_path), capture_output=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: import subprocess try: result = subprocess.run( command, shell=True, cwd=str(workspace),
Confidence: 98% confidence
Finding: result = subprocess.run( command, shell=True, cwd=str(workspace), capture_output=True, text=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: logger.info("Running %s hook: %s", hook.value, cmd) result = subprocess.run( cmd, shell=True, cwd=str(workspace.path),
Confidence: 99% confidence
Finding: result = subprocess.run( cmd, shell=True, cwd=str(workspace.path), capture_output=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: logger.info("Running tests in %s", project_path) try: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=str(project_path), capture_output=True,
Confidence: 88% confidence
Finding: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=str(project_path), capture_output=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run_specific(self, project_path: Path, test_file: str) -> Dict: """특정 테스트 파일만 실행""" try: result = subprocess.run( ['python3', '-m', 'unittest', test_file, '-v'], cwd=str(project_path), capture_output=True,
Confidence: 93% confidence
Finding: result = subprocess.run( ['python3', '-m', 'unittest', test_file, '-v'], cwd=str(project_path), capture_output=True, text=Tr

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # pytest-cov로 커버리지 측정 result = subprocess.run( ['python3', '-m', 'pytest', '--cov=.', '--cov-report=json',
Confidence: 90% confidence
Finding: result = subprocess.run( ['python3', '-m', 'pytest', '--cov=.', '--cov-report=json', '--cov-report=term-missing',

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # openclaw agent 명령 실행 try: result = subprocess.run([ 'openclaw', 'agent', '--message', prompt, '--json'
Confidence: 94% confidence
Finding: result = subprocess.run([ 'openclaw', 'agent', '--message', prompt, '--json' ], capture_output=True, text=True, timeout=120)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: prompt = self._generate_fix_prompt(project_idea, error) try: result = subprocess.run([ 'openclaw', 'agent', '--message', prompt ], capture_output=True, text=True, timeout=60)
Confidence: 95% confidence
Finding: result = subprocess.run([ 'openclaw', 'agent', '--message', prompt ], capture_output=True, text=True, timeout=60)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: return {'success': False, 'output': 'Project not found'} try: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=self.project_path, capture_output=True,
Confidence: 86% confidence
Finding: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=self.project_path, capture_output=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # unittest 실행 result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=self.project_path, capture_output=True,
Confidence: 93% confidence
Finding: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=self.project_path, capture_output=True,

Tainted flow: 'prompt' from pathlib.Path.read_text (line 202, file read) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: """ try: result = subprocess.run([ 'claude', '-p', prompt, '--allowedTools', 'Edit,Write,Bash' ], cwd=str(project_path), capture_output=True, text=True,
Confidence: 98% confidence
Finding: result = subprocess.run([ 'claude', '-p', prompt, '--allowedTools', 'Edit,Write,Bash' ], cwd=str(project_path), capture_output=True, text=True,

Tainted flow: 'req' from pathlib.Path.read_text (line 225, file read) → urllib.request.urlopen (network output)

High

Category: Data Flow
Content: } ) with urllib.request.urlopen(req, timeout=30) as response: result = json.loads(response.read().decode()) content = result['choices'][0]['message']['content']
Confidence: 97% confidence
Finding: with urllib.request.urlopen(req, timeout=30) as response:

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The document states that there is no sensitive data in code, yet it includes a concrete Notion database ID in the configuration. While a database ID is not equivalent to an API key, it is still an internal identifier that can aid reconnaissance, enable unintended linking of internal resources, and contradicts the stated security posture.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The guide claims 'Local storage only (no cloud)' but also documents queuing data into Notion, which is a third-party cloud service. This creates a misleading data-handling statement that can cause operators to underestimate privacy, compliance, and external exposure risks.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill includes a network-based LLM fallback that exports local code and error context to an external service. In a code-repair component, this substantially increases risk because the component is likely to process arbitrary project files that may contain sensitive intellectual property or secrets.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The fixer invokes an external agent with edit/write/bash capabilities that exceed the needs of a simple deterministic code correction routine. In this context, granting broad tool powers to an autonomous agent materially increases the blast radius of prompt injection, misalignment, or accidental destructive actions.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The code uses project['source'] directly in the filename for per-project logs while claiming namespace isolation. Because no sanitization or boundary enforcement is applied, an attacker controlling source could inject path separators or special path values and cause writes outside the intended projects directory, breaking isolation and potentially overwriting arbitrary user-accessible files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal