Back to skill

Security audit

AI Code Review

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate code-review skill, but it can move from reviewing into changing code and pushing commits with the user's GitHub account.

Install only if you want an agent to inspect repositories and GitHub PR/CI data. Before using it, tell the agent whether it may modify files, and require explicit confirmation plus a shown diff before any commit, push, dependency update, or CI-fix action. Verify the active GitHub account and review any local `~/.claude/CLAUDE.md` guidance it may rely on.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill's stated purpose is code review, but these instructions expand into making code changes and completing the delivery workflow when CI fails on the user's own PR. That scope creep is dangerous because a review-oriented skill may perform unintended write actions based on ambiguous ownership/context, increasing the chance of unauthorized or unsafe modifications.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The explicit `git add`, `git commit`, and `git push` steps authorize repository write operations that are not necessary for a review-only skill. In an agent setting, this can turn a passive analysis tool into an actor that mutates remote state, potentially committing incorrect, unreviewed, or attacker-influenced changes to a repository.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad, everyday expressions like 'レビューして' and 'コードをチェック', which can cause the skill to activate in contexts the user did not intend. Because the skill can invoke repository and GitHub inspection commands, accidental activation increases the risk of unnecessary access to repo metadata and execution of higher-risk instructions contained later in the skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
reference.md:418