ci-cd-pipeline-builder

Security checks across malware telemetry and agentic risk

Overview

This CI/CD helper is transparent about generating workflow files, but its Python pipeline output can pass even when dependency installation or tests fail.

Install only if you are comfortable reviewing generated CI files before committing them. For Python projects, remove the `|| true` suffixes from dependency installation and pytest steps so failures actually fail CI, and generate to a temporary path before replacing an existing workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill instructs users to run local scripts that read repository contents and generate/write CI configuration files, but it declares no permissions. This creates a trust and governance gap: a caller or platform may treat the skill as low-privilege even though it can inspect files and modify workspace state, increasing the risk of unauthorized file access or pipeline-file overwrites.

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The README instructs users to write generated output directly to `.github/workflows/ci.yml`, which modifies repository state and can overwrite an existing workflow without any warning or review step. In a CI/CD skill, changing workflow files can affect build and deployment behavior, so even documentation-level omissions can lead to unintended pipeline changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal