Generic Quality Gateways for Unattended Agent Development

Security checks across malware telemetry and agentic risk

Overview

This is a repository quality-check skill that may read project and CI evidence and write local reports, but the behavior is disclosed and matches its stated purpose.

Install this only if you want an agent to evaluate a repository and create quality-gate config, temporary files, evidence, and reports under the documented repo paths. Review any generated files and thresholds before committing them or letting the results affect CI/CD release decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly requires writing reports and temporary files into repository paths, but it does not warn the user that running the skill will modify tracked project contents. In an agent setting, undisclosed write behavior can create unintended file changes, pollute commits, or overwrite existing artifacts, especially because output paths are partly config-driven.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to use local commands and CI artifacts to collect metrics, but it does not disclose that this may execute commands or process potentially sensitive repository and CI data. In practice, this expands the skill's access surface and can expose secrets, environment details, or proprietary build metadata without informed consent or clear safety boundaries.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal