Back to skill

Security audit

Code Review

Security checks across malware telemetry and agentic risk

Overview

This code-review skill is mostly coherent, but it can direct an agent to edit, commit, and push repository changes without explicit approval or tight scoping.

Install only if you are comfortable with a review helper that may use GitHub CLI and local repository commands. Before allowing it to fix CI failures, require an explicit diff review and confirmation before running project scripts, staging files, committing, or pushing; avoid using it on untrusted repositories outside a sandbox.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill's scope expands from reviewing code into actively modifying the repository, committing fixes, and pushing changes when CI fails. That turns a read-mostly analysis skill into one with write capabilities, increasing the risk of unintended or unauthorized code changes if the skill is triggered in the wrong context.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
The documentation encourages installing and authenticating GitHub CLI, which enables account-scoped remote access beyond local code inspection. In a skill intended for code review, adding authenticated remote capability broadens the blast radius if the skill is misused or over-triggered.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation phrases are broad everyday expressions such as 'レビューして' and 'コードをチェック', which can match common user language and cause unintended invocation. Because this skill can inspect PRs and potentially interact with GitHub tooling, ambiguous triggering increases the chance of accidental higher-privilege behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
reference.md:418