GitHub Automation Pro

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs GitHub automation as advertised, but it asks for a GitHub token while shipping obfuscated code, inaccurate token-safety claims, overbroad dependencies, and off-platform crypto license/payment instructions.

Install only if you trust the publisher and are comfortable with obfuscated code handling a GitHub token. Use a fine-grained token limited to the exact repository and permissions needed, verify owner/repo before write actions, revoke the token afterward, and avoid off-platform crypto payment or license claims unless independently verified.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (1569)

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The comment for getToken states it returns the current GitHub token in a partially masked form, which frames the method as a safe or limited disclosure. However, the declared API explicitly exposes token retrieval functionality at all, which is sensitive capability not implied elsewhere in the interface and may contradict a reader's expectation that credentials remain internal to the client.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The package description and listed features describe GitHub issue, PR, release, and repository analytics automation. The dependency on Puppeteer indicates full browser automation capability, which is broader than the obvious needs of GitHub API-based automation and is not mentioned anywhere in the package description or feature list.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: With no manifest available, the code itself indicates a purpose of creating, listing, and updating GitHub issues via strategy classes. However, L1 includes heavy string-table obfuscation and a self-referential anti-tamper pattern before the actual business logic, which is not justified by that apparent purpose and adds hidden capability/opacity unrelated to issue management.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The file implements heavily obfuscated bootstrap logic with self-referential constructor/toString/search behavior before defining the PR analysis and review classes. That capability is not necessary for the evident business logic of fetching pull-request metadata and generating analysis/review templates, and it materially obscures developer intent.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The file is heavily obfuscated and includes a self-defending/anti-tamper style wrapper that inspects function source via toString/search before executing the actual strategy classes. For a file that otherwise implements release creation and repository statistics/health strategies, this capability is not necessary to provide the apparent business functionality and is not justified by any stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The file includes heavily obfuscated bootstrap code with string-table indirection and a self-referential function that appears designed to resist inspection or tampering before the actual module logic runs. With no manifest or stated purpose, this capability is not justified by the apparent functional role of the file, which is simply registering strategy classes.

Natural-Language Policy Violations

Low

Confidence: 90% confidence
Finding: The header comment uses Traditional Chinese to describe the client ('封裝 Octokit REST API，提供統一介面') while the rest of the API surface is in English, indicating a locale-specific instruction/commentary without any opt-in or stated regional scope. This matches the policy category for language/locale constraints because it imposes a specific language in natural-language content without documenting user choice or justification.

Natural-Language Policy Violations

Low

Confidence: 91% confidence
Finding: The file’s natural-language comments are written in Traditional Chinese, including the class description and design-pattern notes, with no indication that language selection is user-configurable or intentionally region-scoped. Under the stated policy, forcing a specific language without opt-in can be a locale-policy violation.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This JavaScript file handles a sensitive credential (`githubToken`) and constructs a GitHub client with it, implying outbound authenticated network access to GitHub. In this file there is no confirmation prompt, logging, or user-facing warning explaining that the skill will use the token to make GitHub API calls on the user's behalf.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The action schema includes operations like `issue.create`, `issue.update`, and `release.create`, which can modify repository state and create persistent artifacts. Although these actions are part of the skill's functionality, this file shows no user confirmation, prompt, or explicit disclosure before executing such changes.

Natural-Language Policy Violations

Low

Confidence: 84% confidence
Finding: The file includes a Chinese comment string (`使用 Strategy Pattern 實作 Issue 相關操作`) while the surrounding identifiers and comments are otherwise in English. This creates a mixed-language experience and may violate a language/locale policy if the organization expects user-facing or maintainable skill content to avoid forcing a specific language without opt-in.

Natural-Language Policy Violations

Low

Confidence: 77% confidence
Finding: The header presents the skill description in Chinese ('PR 審查輔助功能') alongside English, but the file does not indicate whether language selection is user-driven or part of a documented locale policy. Under the stated policy, forcing or implying a locale without opt-in can be a natural-language policy concern, even in comments or declarations.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This markdown file advertises actions that can create or update issues and publish releases, which can affect repository data and workflows. Under the markdown-specific warning criterion, the description should disclose that these operations may modify remote GitHub state or publish content on the user's behalf.

Natural-Language Policy Violations

Low

Confidence: 90% confidence
Finding: This declaration file includes a Chinese-only description string alongside the English title, but nowhere in the file offers user language choice or explains that the skill is region-specific. Under the policy rule, natural-language content that imposes a language or locale without opt-in can be a policy concern.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This markdown file documents a skill that accepts a GitHub token and performs state-changing operations such as creating issues. Although features and examples are shown, there is no user-facing warning near the setup or execution examples that the skill can create or modify GitHub resources and should be used with appropriately scoped credentials.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The markdown includes an example for `release.create`, which is a write operation that can alter repository release state. The surrounding documentation does not warn users about this potentially impactful action or advise confirmation before use.

Natural-Language Policy Violations

Low

Confidence: 82% confidence
Finding: Nearly all user-facing documentation is presented in Traditional Chinese, with no statement that other languages are supported or that the locale is intentionally region-specific. Under the policy, forcing a specific language without user choice can be a natural-language policy concern unless clearly documented and justified.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This code performs state-changing actions against GitHub, including issue creation, issue updates, and release creation, but the file contains no confirmation prompt, user-facing logging, or explanatory comments/docstrings describing those actions. Because these operations modify remote repository data and the file is the only artifact provided for review, they lack the user disclosure required by the rule.

Natural-Language Policy Violations

Low

Confidence: 78% confidence
Finding: This declaration file contains natural-language comments in Chinese within an otherwise English API example, which can amount to an implicit language choice without user opt-in. The policy specifically calls for flagging language or locale constraints when a skill forces a specific language and does not offer alternatives.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: This JavaScript file instantiates GitHubClient with githubToken and performs create, list, and update issue operations, which transmit repository and issue data over the network. The file contains no visible confirmation prompt, print/log statement, or explanatory comment/docstring disclosing that remote GitHub API actions will occur using the supplied credential.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: This JavaScript code instantiates a GitHub client with `githubToken` and calls methods to fetch pull request metadata and file lists, which are network operations involving repository data. In this file there are no confirmation prompts, user-visible logs, or comments/docstrings disclosing that remote GitHub requests will be made using the provided token.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: Multiple embedded strings such as `建議添加相關測試`, `變更檔案較多，請確保變更範圍聚焦`, and `程式碼邏輯正確` indicate the generated analysis/review output is fixed to Traditional Chinese. There is no visible option for users to choose language or locale, which violates the language/locale policy for natural-language behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This JavaScript code instantiates a GitHub client with `githubToken` and performs network operations such as creating releases and fetching repository statistics. In this file there is no confirmation prompt, logging, comment, or docstring disclosing that authenticated network requests will be made with the user's token.

Natural-Language Policy Violations

Medium

Confidence: 98% confidence
Finding: Several returned assessment and recommendation strings are written directly in Traditional Chinese, such as repository health messages and recommendations. There is no indication that the user can choose a language or that this locale restriction is documented and justified, which violates the language/locale policy criteria.

Credential Access

High

Category: Privilege Escalation
Content: const a4_0x24331a=a4_0x9a41;(function(_0x500e6b,_0x1dd5aa){const _0x22247=a4_0x9a41,_0x4a08b9=_0x500e6b();while(!![]){try{const _0x30fda1=parseInt(_0x22247(0x188))/0x1+parseInt(_0x22247(0x189))/0x2+parseInt(_0x22247(0x1cf))/0x3+-parseInt(_0x22247(0x1f6))/0x4*(parseInt(_0x22247(0x1bc))/0x5)+-parseInt(_0x22247(0x193))/0x6*(-parseInt(_0x22247(0x1f2))/0x7)+-parseInt(_0x22247(0x1bf))/0x8*(parseInt(_0x22247(0x1c5))/0x9)+-parseInt(_0x22247(0x185))/0xa;if(_0x30fda1===_0x1dd5aa)break;else _0x4a08b9['push'](_0x4a08b9['shift']());}catch(_0x3990b7){_0x4a08b9['push'](_0x4a08b9['shift']());}}}(a4_0x82f1,0xb89ed));const a4_0x33cbde=(function(){const _0x2bb9c7=a4_0x9a41,_0x597355={};_0x597355[_0x2bb9c7(0x186)]=_0x2bb9c7(0x18f),_0x597355['BnDow']='lBEBx',_0x597355[_0x2bb9c7(0x1c7)]=_0x2bb9c7(0x1ce);const _0x9d95=_0x597355;let _0x2d4897=!![];return function(_0xfd552e,_0x1ffd2a){const _0x2cf2f3=_0x2bb9c7;if(_0x9d95[_0x2cf2f3(0x18b)]!==_0x9d95['TInUH']){const _0x255cfa=_0x2d4897?function(){const _0xf67495=_0x2cf2f3;if(_0x1ffd2a){const _0x215193=_0x1ffd2a[_0xf67495(0x1ac)](_0xfd552e,arguments);return _0x1ffd2a=null,_0x215193;}}:function(){};return _0x2d4897=![],_0x255cfa;}else return _0x5e6502[_0x2cf2f3(0x1c6)]()[_0x2cf2f3(0x1a1)](_0x2cf2f3(0x18f))['toString']()['constructor'](_0x44876d)[_0x2cf2f3(0x1a1)](_0x9d95[_0x2cf2f3(0x186)]);};}()),a4_0x183370=a4_0x33cbde(this,function(){const _0x2c26d2=a4_0x9a41,_0x14e7c9={};_0x14e7c9['WuKLN']='(((.+)+)+)+$';const _0x306b1c=_0x14e7c9;return a4_0x183370[_0x2c26d2(0x1c6)]()['search'](_0x306b1c[_0x2c26d2(0x1e0)])[_0x2c26d2(0x1c6)]()[_0x2c26d2(0x1e9)](a4_0x183370)['search'](_0x306b1c[_0x2c26d2(0x1e0)]);});a4_0x183370();'use strict';const a4_0x523903={};a4_0x523903['value']=!![],Object['defineProperty'](exports,a4_0x24331a(0x19a),a4_0x523903),exports['PRReviewStrategy']=exports[a4_0x24331a(0x1bd)]=void 0x0;const a4_0x59ec04=require(a4_0x24331a(0x1a5));function a4_0x9a41(_0x21f3b0,_0x47318f){_0x21f3b0=_0x21f3b0-0x185;const _0x504786=a4_0x82f1();let _0 ...[truncated 26 chars]
Confidence: 60% confidence
Finding: .env'

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal