Code Generator

Security checks across malware telemetry and agentic risk

Overview

This is a local code-template generator with no hidden network or credential behavior, though it keeps a small local history of generated commands.

Reasonable to install for local code scaffolding. Review generated code before using it, especially API, CRUD, Docker, and auth-adjacent examples. Do not include secrets or sensitive internal project identifiers in command arguments unless you are comfortable with them being stored in the local history file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The skill uses very broad activation language such as 'Describe what you need, get working code,' without clear boundaries on what requests should be accepted or refused. In an agent setting, this can cause over-triggering and generation of unsafe or unintended code, including scaffolding that handles secrets, system commands, or other sensitive operations without explicit user confirmation.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The script persistently logs user-supplied names and parameters into a history file under the user's data directory without notice or consent. In a code-generation context, project names or model names can contain sensitive internal identifiers, so this creates a privacy and local information disclosure risk, especially on shared systems or when home directories are backed up or synchronized.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal