project-analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is a project documentation generator that reads a chosen codebase and writes local SDD/API/database docs; its Apifox mention needs user caution but is disclosed and purpose-aligned.

Install only for projects you are comfortable having analyzed locally. Before using any Apifox integration, review the generated API/OpenAPI content for secrets, internal endpoints, sample payloads, and credentials because syncing would send that data to a third-party service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README promotes syncing generated OpenAPI/project analysis output to Apifox and running interface tests, but it does not warn that project structure, endpoint definitions, sample payloads, or other sensitive API metadata may be transmitted to an external service. In a skill designed to scan codebases and generate documentation from real projects, that omission increases the risk of accidental data exfiltration by users who may assume all processing is local.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal