Security audit

Dev Factory Repo

Security checks across malware telemetry and agentic risk

Overview

This skill is a powerful automation tool that can run local commands, send code to external AI/cloud services, and update GitHub or Notion with limited approval controls.

Install only in an isolated workspace or VM with low-privilege credentials. Assume generated projects and tests can execute code, and assume source/error snippets may be sent to external AI services. Disable scheduled jobs and auto-publish until you have reviewed the configuration, token scopes, Notion database access, and the exact commands it will run.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (56)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: return {'success': False, 'output': 'Project not found'} try: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=self.project_path, capture_output=True,
Confidence: 89% confidence
Finding: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=self.project_path, capture_output=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: return {'success': False, 'output': 'Project path does not exist'} try: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=self.project_path, capture_output=True,
Confidence: 84% confidence
Finding: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=self.project_path, capture_output=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """ try: result = subprocess.run([ 'claude', '-p', prompt, '--allowedTools', 'Edit,Write,Bash' ], cwd=str(project_path), capture_output=True, text=True,
Confidence: 95% confidence
Finding: result = subprocess.run([ 'claude', '-p', prompt, '--allowedTools', 'Edit,Write,Bash' ], cwd=str(project_path), capture_output=True, text=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # agent-browser로 GitHub Trending 접근 subprocess.run([ 'agent-browser', 'open', f'https://github.com/trending/{self.language}?since=daily' ], capture_output=True, timeout=30, check=False)
Confidence: 91% confidence
Finding: subprocess.run([ 'agent-browser', 'open', f'https://github.com/trending/{self.language}?since=daily' ], capture_output=True, timeout=30, check=F

subprocess module call

Medium

Category: Dangerous Code Execution
Content: for keyword in self.keywords[:3]: # 상위 3개 키워드만 try: query = f"{keyword} security tool 2026" result = subprocess.run([ 'node', str(self.brave_search_path), query, '-n', '3' ], cwd=str(search_path), capture_output=True, text=True,
Confidence: 90% confidence
Finding: result = subprocess.run([ 'node', str(self.brave_search_path), query, '-n', '3' ], cwd=str(search_path), capture_output=True, te

subprocess module call

Medium

Category: Dangerous Code Execution
Content: prompt = self._generate_development_prompt(project) try: result = subprocess.run([ 'claude', '-p', prompt, '--output-format', 'json', '--allowedTools', 'Edit,Write,Bash'
Confidence: 94% confidence
Finding: result = subprocess.run([ 'claude', '-p', prompt, '--output-format', 'json', '--allowedTools', 'Edit,Write,Bash' ], cwd=str(proj

subprocess module call

Medium

Category: Dangerous Code Execution
Content: After fixing, run tests to verify.""" try: result = subprocess.run([ 'claude', '-p', prompt ], cwd=str(project_path), capture_output=True, text=True, timeout=120, env={**os.environ,
Confidence: 93% confidence
Finding: result = subprocess.run([ 'claude', '-p', prompt ], cwd=str(project_path), capture_output=True, text=True, timeout=120, env={**os.environ,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: import os try: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=str(project_path), capture_output=True,
Confidence: 93% confidence
Finding: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=str(project_path), capture_output=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: logger.info("Running tests in %s", project_path) try: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=str(project_path), capture_output=True,
Confidence: 92% confidence
Finding: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=str(project_path), capture_output=True,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run_specific(self, project_path: Path, test_file: str) -> Dict: """특정 테스트 파일만 실행""" try: result = subprocess.run( ['python3', '-m', 'unittest', test_file, '-v'], cwd=str(project_path), capture_output=True,
Confidence: 95% confidence
Finding: result = subprocess.run( ['python3', '-m', 'unittest', test_file, '-v'], cwd=str(project_path), capture_output=True, text=Tr

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # openclaw agent 명령 실행 try: result = subprocess.run([ 'openclaw', 'agent', '--message', prompt, '--json'
Confidence: 90% confidence
Finding: result = subprocess.run([ 'openclaw', 'agent', '--message', prompt, '--json' ], capture_output=True, text=True, timeout=120)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: prompt = self._generate_fix_prompt(project_idea, error) try: result = subprocess.run([ 'openclaw', 'agent', '--message', prompt ], capture_output=True, text=True, timeout=60)
Confidence: 94% confidence
Finding: result = subprocess.run([ 'openclaw', 'agent', '--message', prompt ], capture_output=True, text=True, timeout=60)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # unittest 실행 result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=self.project_path, capture_output=True,
Confidence: 93% confidence
Finding: result = subprocess.run( ['python3', '-m', 'unittest', 'discover', '-s', 'tests', '-v'], cwd=self.project_path, capture_output=True,

Tainted flow: 'prompt' from pathlib.Path.read_text (line 202, file read) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: """ try: result = subprocess.run([ 'claude', '-p', prompt, '--allowedTools', 'Edit,Write,Bash' ], cwd=str(project_path), capture_output=True, text=True,
Confidence: 94% confidence
Finding: result = subprocess.run([ 'claude', '-p', prompt, '--allowedTools', 'Edit,Write,Bash' ], cwd=str(project_path), capture_output=True, text=True,

Tainted flow: 'req' from pathlib.Path.read_text (line 225, file read) → urllib.request.urlopen (network output)

High

Category: Data Flow
Content: } ) with urllib.request.urlopen(req, timeout=30) as response: result = json.loads(response.read().decode()) content = result['choices'][0]['message']['content']
Confidence: 98% confidence
Finding: with urllib.request.urlopen(req, timeout=30) as response:

Tainted flow: 'fixed_code' from pathlib.Path.read_text (line 245, file read) → pathlib.Path.write_text (file write)

Medium

Category: Data Flow
Content: # 백업 후 수정 backup_path = file_path.with_suffix('.py.backup') backup_path.write_text(file_content) file_path.write_text(fixed_code) logger.info("GLM fix applied, backup at %s", backup_path) return True
Confidence: 83% confidence
Finding: file_path.write_text(fixed_code)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The document makes a materially misleading security claim by stating 'Local storage only (no cloud)' while the workflow clearly uses Notion, a cloud service, to store queued ideas and metadata. This can cause operators to handle data under false assumptions, leading to inappropriate storage of sensitive information in third-party systems and weakened compliance/privacy controls.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The fixer transmits full source code to an external GLM service as part of its fallback behavior. In the context of a build/correction tool, that materially expands data exposure beyond local code fixing and can disclose confidential source, credentials, or internal logic to a remote provider.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Invoking an external coding agent with Edit, Write, and especially Bash permissions gives it broad authority over the repository and host environment. In a code-fixing context, this is more dangerous because project contents can contain adversarial instructions that the agent may follow, leading to arbitrary command execution or destructive modifications.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The discovery component contains an unrelated capability to exfiltrate discovered content to Notion using a locally sourced API credential. Mixing discovery with outbound publication increases the blast radius: if invoked unexpectedly, the skill can transmit locally collected data to a third-party service without a strong separation of duties or explicit consent flow.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document explicitly instructs users to launch an external agent process via subprocess without any warning that it can execute real actions and create or modify files in the target workspace. In an agent skill context, omission of those safety boundaries increases the risk of unintended code generation, workspace changes, or execution against a real environment.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The direct sessions_spawn example describes invoking a real agent tool with a live task and writable cwd, but does not warn that this may trigger actual agent actions in the local workspace. Because this is framed as something to test immediately if possible, it materially increases the chance of unreviewed file creation or modification.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The report states that success/failure patterns are automatically stored in memory/log files, which can capture prompts, project details, errors, and other sensitive development context. In an agent skill, silent retention of this data increases the risk of leaking secrets, proprietary code patterns, or personal data through long-term storage and later reuse.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document recommends an automated self-modification feature that edits local source files based on parsed error output, but it provides no safety guardrails such as path restrictions, backups, confirmation prompts, or validation of the suggested patch. In an agent skill context, guidance that normalizes automatic file rewriting can lead to unintended or attacker-influenced code changes, corruption of unrelated files, or unsafe persistence of faulty fixes.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document explicitly describes fully automated GitHub publishing and bidirectional Notion-triggered builds, but does not mention confirmation gates, approval requirements, dry-run behavior, or user-visible warnings about external side effects. In an agent skill context, documenting unattended repo creation, pushes, releases, and build triggers can normalize dangerous autonomous behavior that may cause unintended code publication, data leakage, or costly actions if adopted as-is.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.