Back to skill

Security audit

Subagent-Driven Development

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent development workflow that coordinates subagents to edit, test, review, and commit code, with no hidden installer or credential handling found.

Install this only if you want an agent workflow that can make code changes, run tests, and create commits. Use it on a branch, review diffs and commits before pushing or deploying, and clarify language expectations if the Chinese examples could confuse your team.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The skill hard-codes Chinese-language content in its `<help_response>` examples without any indication that locale should be chosen based on user, project, or team preferences. In an agent workflow skill, this can cause subagents or operators to emit responses in an unexpected language, degrading review accuracy, causing misunderstandings, and creating opportunities for requirement drift or unsafe execution when instructions are misread.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.