Adversarial Code Review

Security checks across malware telemetry and agentic risk

Overview

This is a coherent code-review workflow, but users should be aware that its CI example sends PR diffs to Claude and posts the filtered result back to the pull request.

Install only if your repository policy allows PR diffs to be sent to the configured Claude/model provider and allows automated CI comments. Avoid using it on changes that may include secrets, regulated data, or proprietary code unless your organization has approved that data flow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The CI example sends the full pull request diff to an external model API and then automatically posts the model output back to the PR, but the skill does not warn users that repository contents may leave their environment. In many repositories, diffs can contain proprietary code, secrets, customer data, or internal architecture details, so silent transmission to a third-party service creates a real data exposure and compliance risk.

VirusTotal

45/45 vendors flagged this skill as clean.

View on VirusTotal