Back to skill

Security audit

Code Analysis Skills

Security checks across malware telemetry and agentic risk

Overview

This skill locally analyzes Git commit history for self-reflection or consented team retrospectives, and its sensitive per-author metrics are disclosed and scoped rather than hidden.

Install only for your own Git-history reflection or a team retrospective where every included author has explicitly consented. Do not use the generated reports for performance reviews, ranking, compensation, discipline, or surveillance, and store reports carefully because they contain identifiable work-history data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The code exposes a reusable author-filtering mechanism that can target specific contributors' commit histories without any technical enforcement of the stated consent gate. Although the docstrings say the filter is only populated by the CLI after consent checks, the class can be instantiated directly by any Python caller and will analyze any supplied author identifiers, enabling worker-surveillance or non-consensual profiling contrary to the skill's declared safety boundary.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The analyzer API provides arbitrary contributor-targeting as a normal reusable feature even though the skill is supposed to operate only for self-reflection or fully consented team retrospectives. In this context, exposing selective author analysis as a library primitive creates a straightforward path for downstream code to repurpose the skill for employee monitoring, ranking, or retrospective analysis without the explicit-intent and consent controls described in the manifest.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The module explicitly states that direct instantiation is unsupported because it would bypass privacy and anti-surveillance controls, yet the implementation fully allows that path with no guardrails. This mismatch is dangerous because it invites consumers to rely on prose-based policy while the actual code path remains open for unauthorized use, undermining the consent-gated design claim at the exact abstraction boundary where enforcement should occur.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This analyzer produces results keyed by individual author name and computes per-person behavioral metrics from Git history, which enables profiling of identifiable workers. That directly conflicts with the stated safety boundary that the skill is only for self-reflection or consent-based retrospectives and must not support evaluation or surveillance; even if the orchestrator is intended to scope access, this file itself preserves and emits individual-level metrics that are easy to repurpose.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The code computes per-author 'quality' signals such as bug-fix ratio, revert ratio, large-commit ratio, test/doc modification ratios, and average complexity, which can be readily interpreted as employee performance indicators. In the context of a skill explicitly marketed as descriptive reflection and forbidden for ranking or HR use, these metrics materially increase the risk of worker evaluation, misclassification, and surveillance misuse.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This analyzer computes and returns per-author metrics such as commit-message behavior, file categories, language distribution, and average change size. Even though the docstrings describe consent and descriptive-only use, the implementation still produces identity-linked behavioral profiles that could be repurposed for individual monitoring or evaluation if orchestration controls are bypassed or misused.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The analyzer goes beyond a narrow code-style reflection by collecting per-identity commit behavior signals including conventional-commit ratio, issue-reference ratio, average message length, and average change size. Those metrics can enable profiling of individual work habits and productivity proxies, which creates privacy and employee-monitoring risk in a skill explicitly constrained to consensual self-reflection or team retrospectives.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation explicitly frames bus factor and related indicators as repository-level or aggregate-only, but the implementation later computes and returns per-author ownership metrics. This mismatch weakens policy safeguards because downstream consumers may rely on the stated limitations while still receiving individually attributable metrics that can be used for comparison or surveillance.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The analyzer emits per-author ownership_ratio, owned_files_count, lines_per_commit, and weekly_throughput, all of which are structured for easy ranking and comparison of individuals. Even with warning text, providing these fields creates a practical pathway for employee monitoring or performance inference that exceeds the declared purpose of self-reflection or aggregate team diagnostics.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The behavior goes beyond a descriptive Git-history reflection by generating normalized, per-author quantitative metrics that can readily support ranking, trend comparison, and evaluative judgments. In this skill context, that is especially dangerous because the manifest expressly prohibits use for worker evaluation, yet the code produces exactly the kind of structured data that would enable such misuse.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Despite the consent-oriented framing, the narrator generates individual-level behavioral inferences and prescriptive prompts from Git history, including statements about regular hours, workload patterns, ownership concentration, and test practices. Those outputs can be repurposed for worker surveillance or personnel assessment, especially because the code operationalizes person-specific judgments that exceed a narrowly descriptive summary.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The module claims to provide only descriptive self-reflection, but the implementation includes quasi-evaluative recommendations and inferred judgments about developer behavior. This mismatch is dangerous because downstream integrators may trust the safety claims while unknowingly deploying functionality that supports individual profiling or employment-related decision-making.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The template renders detailed per-author metrics across multiple behavioral dimensions, not just a narrow self-reflection narrative. Even with disclaimer text, exposing author-level commit cadence, work habits, ownership, and quality signals creates a practical basis for comparing or judging individuals, which conflicts with the stated prohibition on evaluation, ranking, or surveillance use.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The reporter exposes worker-monitoring style indicators such as weekend activity, late-night activity, streaks, gaps, ownership, churn, and bug-fix ratios at the individual-author level. These metrics can be repurposed to infer work patterns, availability, engagement, or performance, making the report suitable for surveillance or HR misuse despite the warning language.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The scanner can recursively enumerate every Git repository under an operator-supplied root, which broadens collection beyond the manifest’s narrowly scoped trigger language centered on explicit reflection for a specific repo or clearly consented team retrospective. Even if later stages apply consent filters, mass discovery of repositories is itself a capability expansion that can facilitate analysis of unintended or non-consented repos and makes misuse easier under ambiguous prompting or operator error.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.