Back to skill

Security audit

Code Health Scanner

Security checks across malware telemetry and agentic risk

Overview

The artifact appears to be a disclosed scan/reporting workflow, with no confirmed evidence of hidden execution, persistence, credential abuse, or automatic code modification.

This looks acceptable to install for scan/report use. Before relying on it, confirm whether any auto-fix or remediation mode exists in the published files; if it does, use it only when it is explicit, opt-in, and produces reviewable changes before anything is applied.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The design explicitly adds auto-fix capabilities to a skill described as a diagnosis/reporting tool, creating a scope mismatch between what users expect and what the skill may actually do. This increases the risk of unintended code modification, especially if fixes are proposed or applied without clear disclosure, consent, or safety constraints.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Including an auto-fix stage in the scan flow materially expands the skill from passive analysis into active change generation, which can surprise users and downstream systems that only authorized read-only diagnosis. In a security-sensitive code analysis context, silent or loosely controlled fix behavior can introduce unsafe edits, regressions, or trust-boundary violations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.