Security audit

Coding Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a coding-agent delegation helper, but it repeatedly encourages permission bypass, auto-approval, and background agent runs without enough user control or warning.

Install only if you are comfortable giving delegated coding agents broad authority over the selected working directory. Prefer read-only or narrowly approved modes, avoid `--approve-all` and permission-bypass modes unless you have isolated the repo and reviewed the task, and do not run it where sensitive credentials or live production code could be modified accidentally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly recommends `claude --permission-mode bypassPermissions` as a fallback path, which normalizes disabling permission safeguards for a coding agent that can inspect and modify repositories. In this context, the agent is delegated broad coding tasks, so removing approval barriers increases the chance of unintended file changes, command execution, or access to sensitive project data without an explicit user risk warning.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The prompt pattern repeatedly instructs launching Claude Code with bypassed permissions and then delegating exploration and task execution, effectively encouraging unsafe defaults in normal workflows. Because this skill is specifically for autonomous coding/refactoring across arbitrary repositories, bypassing permission checks can expose source code, secrets, and system state to broad agent actions without meaningful friction.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: Listing preconfigured credential variable names (`GITHUB_TOKEN`, `GOOGLE_API_KEY`, `OPENAI_API_KEY`) is not a secret leak by itself, but it advertises the presence of sensitive credentials in agent-accessible environments without guidance on protecting them. In a skill that delegates work to external coding agents and MCP tooling, this increases the chance that prompts or tools inadvertently access, echo, or misuse those credentials.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The example `acpx --approve-all ...` encourages fully automatic approval of agent actions without warning that the delegated coding agent may make arbitrary file changes or execute impactful operations. In this skill, which is meant for refactors, test fixing, and parallel agent runs, auto-approval removes a key safety control and can turn prompt mistakes or hostile repository content into unrestricted actions.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: acpx codex -s backend "refactor the API layer" acpx codex -s frontend "update the React components" # Auto-approve permissions acpx --approve-all codex exec "run and fix failing tests" # Fire-and-forget (background)
Confidence: 91% confidence
Finding: Auto-approve

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal