Back to skill

Security audit

codemap

Security checks across malware telemetry and agentic risk

Overview

This is a local developer tool that indexes user-selected code repositories into a SQLite database for symbol lookup, with no evidence of network use, credential access, persistence, or hidden behavior.

Install only if you are comfortable with a local index of symbol names, signatures, file paths, and line numbers from the repositories you explicitly build over. Use the --db option or remove ~/.codemap/index.db if you want tighter control over where that index is stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises executable behavior that reads and writes a local SQLite index and invokes a local binary, but it declares no permissions. That mismatch is a real security issue because agents or policy engines may treat the skill as lower risk than it is, reducing user awareness and bypassing expected consent or sandboxing decisions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.