CodeWiki Generator

Security checks across malware telemetry and agentic risk

Overview

This skill openly generates a local codewiki documentation site from a repository, and its file access, local writes, scripts, npm setup, and optional deployment steps match that purpose.

Install this if you want an agent to inspect a target repository and generate source-derived documentation. Review codewiki/ and codewiki/.meta/ before committing, sharing, or deploying them because they can reveal project structure, dependencies, symbols, and copied local images. Consider pinning npm dependency versions if reproducibility matters, and use the Cloudflare deployment workflow only when you intentionally want the docs published.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs the agent to read the repository, write a full `codewiki/` documentation tree, and execute multiple shell commands (`python3`, `npm`, `npx`) but does not declare any permissions. This creates a capability/permission mismatch: a host may expose the skill as low-risk while it can perform filesystem modification and command execution, increasing the chance of unintended code execution, dependency installation, or repository changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal