Automated Code Reviewer
Security checks across malware telemetry and agentic risk
Overview
This code-review skill has a legitimate purpose, but it tells agents to run a missing local review script, which could execute unreviewed code from whatever repository is being reviewed.
Review before installing. Treat this as code-review guidance unless you have inspected and trust the actual `review.js` that will run. Do not let an agent execute `node review.js` from an arbitrary repository, and require explicit human confirmation before any approval, merge, or auto-fix action.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
65/65 vendors flagged this skill as clean.