Back to skill

Security audit

Read GitHub

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly transparent about reading GitHub through gitmcp.io, but it exposes broader remote tool-calling and URL-fetching powers than a normal repository reader needs.

Install only if you are comfortable with agents making remote requests through gitmcp.io and with access to broad `fetch-url` and `call` commands. Prefer the scoped `fetch-docs`, `search-docs`, and `search-code` commands, and avoid arbitrary external URLs or direct MCP tool calls unless you trust the target service and understand what tool will run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill exposes shell-based execution examples and operational behavior without declaring corresponding permissions, which undermines least-privilege expectations and can cause an agent or reviewer to underestimate its execution capabilities. In this context, the shell is used to invoke a helper script that can reach external services and fetch content, so the undeclared capability materially increases the risk of unintended command execution or network access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a GitHub-reading utility, but it also documents a generic MCP tool invocation path and arbitrary URL fetching through referenced links. That expands the trust boundary beyond repository documentation access into broader remote capability execution and external content retrieval, which could be abused for unexpected network access, SSRF-like behavior, or invocation of server-side tools not implied by the skill's stated purpose.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is described as a GitHub-repository reader, but it exposes `fetch-url` that can retrieve arbitrary external URLs through the MCP service. This expands the trust and network boundary beyond repository documentation, enabling unintended access to third-party content and potential misuse for data exfiltration, SSRF-like proxying through the remote service, or retrieval of hostile content.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The `call` command lets a user invoke any MCP tool name with arbitrary JSON arguments, which is materially broader than the advertised read-only repository browsing use case. If the remote MCP server exposes administrative, filesystem, credentialed, or network-capable tools, this wrapper becomes a generic capability escalator rather than a constrained GitHub-reading skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code can cause network retrieval of arbitrary external content without presenting any explicit warning, confirmation, or boundary notice to the user. In a skill context, this matters because users may believe they are only reading GitHub repository content, while their queries or supplied URLs may be transmitted to external services and return untrusted data.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
# Fetch a URL mentioned in docs
  %(prog)s fetch-url karpathy/llm-council "https://example.com/doc"

  # Call any tool directly
  %(prog)s call karpathy/llm-council fetch_llm_council_documentation '{}'
"""
    )
Confidence
93% confidence
Finding
Call any tool

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.