Back to skill

Security audit

Find Orphans

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent code-cleanup helper that scans project files and reports likely unused code, with no evidence of hidden collection, persistence, or automatic deletion.

Install this only if you want an agent to inspect your project for unused files and code. Treat the results as heuristic recommendations: run it on a branch, review any generated cleanup script line by line, and run builds/tests before applying removals.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are broad enough to activate on generic cleanup or legacy-code requests, which can cause the skill to run in contexts where the user did not specifically ask for orphan-file analysis. In a code-cleanup skill, ambiguous activation increases the chance of unsafe recommendations or follow-on deletion of files that are not actually safe to remove.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly frames the skill around deleting unused files but does not require confirmation, dry-run behavior, or warnings about false positives and accidental removal of important assets. In this context, users may treat the report as authoritative and remove files that affect builds, runtime behavior, or embedded user/business data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.