Back to skill

Security audit

Code Pro

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only coding workflow skill with broad activation phrases, but no hidden execution, credential access, persistence, or destructive behavior was found.

Install this if you want ordinary coding requests to follow a structured Code Pro workflow. Be aware that common phrases may activate it unintentionally, and review any generated code or debugging changes before applying them to important projects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase set for deep code analysis is broad enough that ordinary user requests about analyzing or reviewing code could unintentionally activate the skill. In an agent environment, over-broad activation can cause the wrong workflow to run, potentially changing response style, scope, or downstream tool behavior without clear user intent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The debug mode includes ambiguous everyday language such as terms equivalent to 'debug', 'fix issue', and especially 'continue running', which may match normal conversational requests. This raises the risk of unintended mode switching and iterative autonomous behavior when the user did not explicitly request that workflow.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Long-context mode is activated by vague phrases like 'big project', 'complete analysis', or 'comprehensive review', which are common ways users describe ordinary assistance requests. This can unintentionally broaden the model's operational scope, increasing token usage, data exposure across more files, and the chance of overreaching analysis.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Code-generation triggers like 'write code', 'implement', or 'generate code' are extremely common user intents and are too broad to safely distinguish this specialized workflow from normal coding help. In a skill-routing system, this can cause accidental takeover by the skill and lead to unexpected formatting, process constraints, or agent actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.