Security audit

Github Repo Browser Read Only

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for read-only GitHub browsing, but it can copy private repository files or archives into external storage and return signed URLs without clearly documenting retention or access controls.

Install only if you are comfortable giving AgentPMT read access to the GitHub repositories available through the connected token. Prefer read-only inspection actions such as get_file or list_directory for normal review, and use download_to_storage or download_repo_to_storage only when you intend to copy repository content into AgentPMT-managed storage and share it through a signed URL.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation keywords are broad enough that an agent may invoke this skill for loosely related requests involving GitHub browsing, code search, or downloads without an explicit user intent to access repositories or export contents. In this context, overbroad routing is risky because the skill can access private repositories and can copy repository data into external storage via download actions, increasing the chance of unintended data exposure.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill describes download capabilities but does not prominently warn that downloaded repository contents are copied to external file storage and exposed through a signed URL for downstream access. For a tool operating on private GitHub repositories, this omission can mislead agents or users into treating downloads as local or transient reads, resulting in unintended exfiltration of sensitive source code, secrets, or proprietary data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The schema documents an action that downloads repository content into persistent storage but does not warn users that the content may remain stored beyond the immediate session. Because this skill is explicitly for browsing private and public GitHub repositories, users may unintentionally persist sensitive source code or documents and expose them through later access to stored files.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This action states that it saves a repository file to storage and returns a signed URL, but the schema does not clearly communicate the persistence and sharing implications of that URL. In the context of read access to private GitHub repositories, this can lead to accidental exposure of sensitive files if users or downstream agents treat the signed URL as harmless or temporary without understanding its access properties.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal