Caveman Review

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only code review style skill that makes review comments terse and does not install code, access credentials, or run commands.

Install this if you want terse, paste-ready PR review comments. Be aware that common review phrases may trigger this style automatically; use "normal mode" or "stop caveman-review" when you want fuller explanations, especially for security or architecture reviews.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill declares it auto-triggers when reviewing pull requests, while the matching phrases include broad natural-language requests like "review this PR" and "code review." In an agent environment, overly broad trigger conditions can cause the skill to activate in contexts the user did not explicitly intend, altering review behavior, suppressing fuller analysis, or producing inappropriate terse output during security-sensitive reviews.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal