Back to skill

Security audit

Code Mentor

Security checks across malware telemetry and agentic risk

Overview

This coding tutor is not clearly malicious, but it can run local test code and automatically save learning history without strong user controls.

Install only if you are comfortable with a coding tutor that may read selected code files, run local test suites, and save progress notes. Do not use the test runner on untrusted repositories or projects containing secrets unless you run it in an isolated environment, and review or delete references/user-progress/learning_log.md if you do not want session history retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
'--tb=short'
            ]

            process = subprocess.run(
                cmd,
                capture_output=True,
                text=True,
Confidence
94% confidence
Finding
process = subprocess.run( cmd, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
'-v'
            ]

            process = subprocess.run(
                cmd,
                capture_output=True,
                text=True,
Confidence
94% confidence
Finding
process = subprocess.run( cmd, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            cmd = ['npx', 'jest', self.target, '--verbose']

            process = subprocess.run(
                cmd,
                capture_output=True,
                text=True,
Confidence
92% confidence
Finding
process = subprocess.run( cmd, capture_output=True, text=True, timeout=60 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises optional scripts and persistent file updates but does not declare corresponding permissions, creating a transparency and governance gap around file reads and shell-like execution. In a tutoring context, those capabilities could access local files or invoke local tooling without clear user or platform review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented role is a programming tutor, but the skill also describes running tests, invoking external tooling, and performing code analysis beyond the narrow stated scope. That mismatch is dangerous because users and reviewers may not expect local execution or broader language/tool handling, increasing the chance of unsafe operations on untrusted code or repositories.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill mandates writing a detailed learning log to disk after each session, which is data persistence unrelated to the core tutoring function unless the user has knowingly opted in. This creates privacy and data-retention risk because user prompts, goals, weaknesses, and potentially pasted code or project details may be stored locally without necessity or clear consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill is described as a programming tutor, but this code adds the ability to execute local code through test frameworks. That capability materially increases risk because tutoring workflows commonly involve untrusted code from users, making arbitrary code execution especially dangerous in this context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README states that learning progress is automatically saved after each session, but provides no privacy notice, retention policy, or warning about what user content may be stored. In a tutoring skill, users may paste source code, debugging traces, interview answers, or other sensitive material, so silent persistence can lead to unintended data retention and privacy exposure.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad natural-language triggers such as common phrases can cause unintended skill activation, especially in mixed conversations where the user did not mean to invoke this skill. In this skill, accidental activation matters more because the documented behavior includes reading references, analyzing code, and persisting progress, which could lead to unwanted data handling or tool usage.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs itself to persist user progress without an upfront disclosure or consent notice, which is a direct privacy and transparency issue. Because the stored log includes session history, goals, notes, and review areas, users may unknowingly have educational, professional, or project-specific information written to disk.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The file explicitly states that learning progress is automatically saved after each session, but it does not warn the user about persistence, retention, or visibility of that data. While the data described is low-sensitivity educational progress, silent persistence can still create privacy and transparency issues, especially if users do not expect their activity history to be recorded.

Ssd 3

Medium
Confidence
93% confidence
Finding
Automatic session logging to a persistent file without clear limits on retained input creates a genuine data-handling risk. Because this skill encourages users to submit code, debugging context, and project details, the log could capture secrets, proprietary code, credentials, or personal information and retain them indefinitely.

Ssd 3

Medium
Confidence
93% confidence
Finding
Mandatory detailed logging of learning history can retain sensitive user-provided content in plain language, including pasted code, interview-prep weaknesses, project details, or potentially proprietary snippets. Even without malicious intent, this expands the blast radius of any local compromise or unintended file sharing.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# The skill works perfectly without them!

# For code analysis (analyze_code.py)
pylint>=2.15.0

# For testing (run_tests.py)
pytest>=7.2.0
Confidence
96% confidence
Finding
pylint>=2.15.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pylint>=2.15.0

# For testing (run_tests.py)
pytest>=7.2.0

# For better output formatting
colorama>=0.4.6
Confidence
97% confidence
Finding
pytest>=7.2.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/analyze_code.py:197