Embedded Code Review Expert

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed code-review helper that can share diffs with review tools, so it is acceptable but should be used carefully on sensitive code.

Before installing or using this skill, treat review diffs as sensitive: avoid running fallback or second-model review on proprietary or secret-bearing changes unless that sharing is allowed. For sensitive repositories, use Codex-only review, pass --fallback-reviewer none, and consider --no-yolo to avoid full-access nested review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README promotes dual-model review but does not clearly disclose that repository diffs may be transmitted to multiple external agents/services. In a code-review skill, this is security-relevant because diffs often contain proprietary source, secrets, credentials, internal endpoints, or embargoed fixes; sending them to additional model providers expands the data exposure surface and can violate user expectations or policy.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal