Aider

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Aider skill whose code-editing, Git commit, and model-provider behaviors are disclosed and fit its developer-tool purpose.

Install this only if you want an AI coding assistant that can edit files and create commits in your repositories. Prefer pipx or a virtual environment, work on a clean branch, review diffs and commits before pushing, and avoid sending secrets, private logs, customer data, or sensitive command output to external model providers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill prominently describes automatic code editing and auto-generated Git commits, but it does not clearly warn users that invoking the tool can immediately modify repository files and create version-control history. In a developer-tools context, this can lead to unintended code changes, accidental commits of insecure or broken code, and confusion about what actions were performed by the tool.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The `/run` command is documented as sending command output to the AI, but the skill does not provide a privacy or data-handling warning. This is dangerous because command output may contain secrets, proprietary code paths, environment details, or customer data that could be unintentionally transmitted to an external model provider.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal