Back to skill

Security audit

accesslint

Security checks across malware telemetry and agentic risk

Overview

AccessLint is a local accessibility scanner with disclosed project scanning and optional git-hook integration, with some review-worthy operational cautions but no artifact-backed malicious behavior.

Reasonable to install for local accessibility scanning if you trust the publisher. Before running hooks install, review the resulting lefthook.yml because it persists in the repository and can block future commits. Avoid using untrusted custom policy regexes in shared config unless your team controls and reviews them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Custom policy regexes are loaded from a user-controlled config file and passed directly into grep -E across repository files. This can enable regex-based denial of service, unexpected matching behavior, or workflow disruption in environments where untrusted or centrally managed config is present; the embedded Python also silently expands the tool's trust boundary into the user's home directory.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The skill includes many broad natural-language trigger phrases such as generic requests to scan code, audit templates, or generate reports, without strong boundaries limiting when the skill should activate. In an agentic environment, this can cause over-broad invocation on unintended repositories or user requests, leading to unnecessary file access, project scanning, or project modification if follow-on commands like hook installation are suggested or run.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.