Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 92% confidence
- Finding
- 该技能文档指示会运行本地脚本获取 PR diff / Git diff,体现出 shell、network、env 能力,但未声明相应权限边界。对一个可被自然语言触发的技能而言,未显式声明这些能力会削弱用户与平台的风险感知,可能导致在不透明前提下访问仓库、环境变量或远程代码托管服务。
code-review-assistant
Security checks across malware telemetry and agentic risk
Overview
This skill is a code-review helper that reads diffs or PRs as advertised, with no evidence of hidden persistence, destructive behavior, or unrelated data exfiltration.
Install only if you are comfortable with the assistant reading the diffs, files, or PR/MR content you ask it to review. Avoid reviewing changes that contain secrets, use read-only least-privilege GitHub or GitLab tokens, and verify any self-hosted GitLab URL before fetching a diff.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)
Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 95% confidence
- Finding
- 技能声明自己会进行结构化安全/质量审查,但从内容看主要是抓取和展示 diff,缺少承诺的分析逻辑、输出控制和多语言规则。这种能力与描述不一致会让用户误以为代码已经过安全审查,从而产生错误信任,属于典型的安全误导风险。
Vague Triggers
Medium
- Confidence
- 83% confidence
- Finding
- 触发示例覆盖“检查这段代码”“看看这个 diff 有没有问题”“code review”等非常宽泛的日常表达,容易在普通对话中被意外激活。一旦激活后又会进一步读取本地 diff 或远程 PR,这会扩大数据暴露面,并增加在用户未明确同意时访问代码内容的概率。
Vague Triggers
Medium
- Confidence
- 79% confidence
- Finding
- 默认触发词如“review / 代码审查 / 检查代码”过于宽泛,容易在普通对话中误触发标准模式,使技能在未经用户明确确认的情况下拉取 PR、分析 diff 或输出带安全判断的审查结果。该技能上下文包含 GitHub/GitLab PR diff 获取能力,因此误触发可能扩大到不必要的代码访问、外部请求或对结果的错误依赖。
Vague Triggers
Medium
- Confidence
- 82% confidence
- Finding
- 严格模式触发词包含“全面检查”“PR review”等较宽泛表述,容易与日常请求重叠,导致系统在用户未明确要求最严格审查时进入高敏感、高成本分析路径。对具备外部 diff 获取和安全漏洞输出能力的技能而言,这会增加误报、越权式数据拉取或不必要自动化动作的风险。
VirusTotal
66/66 vendors flagged this skill as clean.