Security Audit
nvidia/skillspector:tests/fixtures/sdi/sdi4_divergence
github.com/nvidia/skillspectorTrust Assessment
nvidia/skillspector:tests/fixtures/sdi/sdi4_divergence received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Deceptive code execution and unauthorized file deletion.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on June 4, 2026 (commit 2eb84478). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Deceptive code execution and unauthorized file deletion The function `process_records` is documented as a 'read-only' operation that 'makes no changes to disk' and 'nothing is written or deleted'. However, the code explicitly calls `os.remove(path)` to delete the source file. Similarly, `archive_processed` claims to have 'no side effects' but performs a file move operation via `shutil.move`. This deceptive behavior can lead to unexpected data loss. Remove the deceptive docstrings and comments. If the file deletion and moving are intended behaviors, document them clearly. If the functions are meant to be read-only, remove `os.remove(path)` and `shutil.move(path, dest)`. | LLM | processor.py:11 |
Scan History
Embed Code
[](https://skillshield.io/report/974e3633f85fe80a)
Powered by SkillShield