Back to skill

Security audit

Code Reviewer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent code-review skill that reads repository diffs and can optionally create a local HTML report, with no evidence of exfiltration or destructive behavior.

Install only if you are comfortable letting the skill inspect the current repository's diffs and surrounding code. Use explicit commands like "code review staged" or "generate HTML report" to avoid accidental broad review, and confirm before allowing it to create .code-reviews/ or update .gitignore.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to read repository files and create HTML reports, which implies file read/write capabilities, but the manifest declares no permissions. This mismatch weakens permission transparency and can cause the skill to operate with broader capabilities than a user would reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The skill is presented as a code review tool, but it also instructs the agent to generate corrected code on request. That expands the skill from analysis into code-generation/modification guidance, which can surprise users and increase the chance that a review-only invocation results in actionable change suggestions beyond the advertised scope.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill claims to be read-only and says it will never modify repo code, but later offers to 'fix now' by generating corrected code. Even if it does not directly edit files, this creates conflicting safety expectations and can mislead users or supervising systems about whether the skill is strictly analysis-only.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Using the single-word trigger "review" as a primary activation phrase is overly broad and likely to collide with ordinary user conversation, causing the skill to activate unintentionally. In an agent environment, accidental invocation can expose repository diffs, commit history, or generate actions the user did not explicitly intend, increasing the risk of prompt-routing mistakes and unnecessary access to sensitive code context.

Vague Triggers

Medium
Confidence
79% confidence
Finding
Using a very broad trigger like 'review' can cause the skill to activate in ordinary conversation or in contexts where the user did not intend a repository code review. Over-broad activation increases the risk of unintended repo inspection, tool use, and context expansion, especially because the skill defaults to scanning uncommitted changes.

Vague Triggers

Medium
Confidence
75% confidence
Finding
Triggering on a provided commit hash or vague pre-commit phrasing lacks clear boundaries and may invoke the skill based on incidental text that resembles a SHA or general workflow discussion. This can lead to unintended access to git history or diff content without a sufficiently explicit user request.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill can create HTML reports and modify .gitignore, but these write behaviors are not clearly disclosed in the user-facing description. Undisclosed side effects are risky because users may invoke what appears to be a read-only review tool without realizing it can write files into the repository.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.