ggshield Secret Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a coherent secret-scanning wrapper, but it needs review because it handles sensitive code through a third-party scanner while overstating its privacy guarantees.

Install only if you are comfortable letting an agent run ggshield on selected code and Docker images. Use a revocable GitGuardian API key, verify the ggshield binary and package source, avoid scanning repositories whose contents or paths cannot be shared with GitGuardian, and require explicit approval before installing git hooks.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The privacy section makes a strong guarantee that only metadata is sent and that actual secrets or file contents are never transmitted, but this skill is only a wrapper around an external CLI/service and cannot independently guarantee that behavior across versions, configurations, or scan modes. Overstated privacy claims can cause users to scan sensitive repositories under false assumptions, potentially exposing regulated data or secrets to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal