Back to skill

Security audit

Code Refactor

Security checks across malware telemetry and agentic risk

Overview

This skill is a local code refactoring tool whose file edits and test execution match its stated purpose, though users should run it only on trusted projects.

Use this on trusted codebases, start with dry-run, review the generated changes before using --apply, and keep the project under version control. Be aware that validation may run project test scripts or a configured test command with your local permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring states that refactor() is a dry-run operation, but the implementation can perform real code modifications when options.dryRun is false and may also run validation afterward. In a code-modifying agent skill, misleading safety semantics can cause callers or higher-level agents to invoke a destructive path under the mistaken belief that no files will be changed.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The CLI help text presents refactor as a preview action, while the same command supports --apply to make actual file changes. This mismatch can mislead users, automation, or agent wrappers into treating the command as non-destructive, increasing the risk of unintended code modification in environments where tools are expected to be safe by default.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The validator invokes execSync(this.options.testCommand), and testCommand is configurable via constructor options with no allowlisting or sanitization. Because execSync executes through a shell, any attacker-controlled or untrusted input in testCommand can lead to arbitrary command execution on the host running validation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/validator.js:131

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
src/validator.js:99