Security audit

QA Reviewer

Security checks across malware telemetry and agentic risk

Overview

This QA skill is a coherent code review and testing helper with expected local file scanning and test execution, but users should inspect its shell scripts before running them on untrusted projects.

Install is reasonable for QA work. Before running the scripts, understand that they scan local project files, create Markdown reports, and the test script may execute that project's build and test commands; use it on trusted codebases or inspect the scripts first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The test teardown builds a shell command and executes `rm -rf` via `system()`, which is dangerous even in test code because shell invocation expands the attack surface and recursive deletion can remove unintended paths if the directory value is malformed or influenced unexpectedly. In this specific file the path is locally constructed from `/tmp/test_` plus `getpid()`, so the immediate exploitability is limited, but the pattern is still unsafe and can cause destructive filesystem impact if reused or modified.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.