Code Security Auditor

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real code security auditor, but it overstates local-only privacy while bundling optional cloud LLM code and a self-evaluation script that writes persistent workspace logs.

Install only if you are comfortable reviewing and controlling data flows. Use the main auditor.py path in a controlled workspace, avoid Qwen or ChatGLM providers for proprietary or secret-bearing code unless you explicitly accept external transmission, and avoid running iterate.sh unless you want persistent iteration reports and global learning-log entries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: # 🟠 HIGH: 命令注入 def ping_host(host): # 危险：os.system 直接执行用户输入 os.system(f"ping -c 4 {host}") # 🟠 HIGH: 弱加密 import hashlib
Confidence: 99% confidence
Finding: os.system(f"ping -c 4 {host}")

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The document makes absolute privacy and offline-operation claims ('完全本地运行，代码不出境') while elsewhere planning LLM integration, which can materially change data-flow and trust boundaries. In a security-auditing skill, overstated privacy guarantees can cause users to submit sensitive source code under false assumptions, creating compliance, confidentiality, and deployment-risk exposure.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The README makes a strong privacy/security claim that the tool is 'completely local' and that data does not leave the environment, yet it also documents optional integrations and third-party tools that may fetch packages, updates, signatures, or otherwise interact with remote resources. Even if the scanner itself runs locally, overstating data locality can mislead users into trusting the tool in sensitive environments without validating network behavior or supply-chain exposure.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script's primary behavior is self-evaluation and iterative improvement of the skill itself rather than performing the user-facing code security audit promised by the manifest. This mismatch is dangerous because it can cause unauthorized local actions, consume trust and resources under false pretenses, and lead users to run a script that modifies the environment instead of auditing target code.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script persistently writes iteration reports and learning records to disk, including under a global workspace path, even though that behavior is unrelated to a requested code audit target. Unnecessary persistence expands the blast radius, may leak operational metadata, and creates side effects users did not explicitly authorize.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script writes reports and learning records without prompting the user or clearly warning that files outside the immediate report path will be modified. In a skill expected to analyze code, this silent state modification is risky because it can overwrite or disclose data, leave persistent artifacts, and violate least surprise in sensitive environments.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The module forwards supplied code, findings, and context to remote LLM providers (Qwen/ChatGLM) without any consent gate, redaction layer, or clear indication that sensitive source code may leave the local environment. In a security-auditing skill, inputs often contain proprietary code, credentials, internal paths, and vulnerability details, so silent transmission to third-party APIs creates a meaningful confidentiality and compliance risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The underlying issue is not missing disclosure but a real SSRF risk: the function performs a network request directly to a user-supplied URL without validation. This can let an attacker access internal services, cloud metadata endpoints, or other restricted network locations from the server.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Although the pattern mentions disclosure, the real security problem here is shell command injection. Executing a command built from user input can lead to arbitrary command execution and full compromise of the host process context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal