Security audit

Development Coding Agent

Security checks across malware telemetry and agentic risk

Overview

This is a coding-helper skill that runs OpenCode on user-chosen projects and can modify code, but its behavior is disclosed and aligned with that purpose.

Use this only in a Git repository you are willing to let an agent edit. Run it on a branch or clean worktree, monitor background runs, review diffs before committing, and be especially careful with generated database migrations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill repeatedly provides commands that delegate code changes, refactors, tests, and database migrations to an external coding agent without any guidance to review diffs, validate generated code, or safeguard data before execution. In this context, users may run impactful commands directly in real repositories, increasing the chance of unintended file modification, insecure code generation, or destructive schema changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.