Back to skill

Security audit

Code Right Publish

Security checks across malware telemetry and agentic risk

Overview

The skill appears to use an email address and remote delivery for its stated output, but users should treat submitted materials as externally processed.

Before installing, use it only with materials you are comfortable sending to a third-party service by email. Look for or request a privacy notice covering email use, storage, retention, sharing, deletion, and handling of uploaded screenshots or documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill asks for an email address and promises to send generated ZIP materials, but provides no privacy notice, retention policy, or explanation of how the email will be used and protected. This can lead to collection and external use of personal data without informed consent, and may expose users to privacy, compliance, and misuse risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that descriptions, screenshots, Word documents, and ZIP packages are generated and delivered automatically, but does not warn that these materials are processed by backend systems and transmitted externally. Because application materials and screenshots may contain sensitive business or intellectual-property information, silent external processing materially raises confidentiality and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.