Back to skill

Security audit

GitHub Issue Resolver

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate GitHub issue-fixing skill, but it needs review because an included helper can push code and open PRs through the user's GitHub login without the approval and draft safeguards the instructions promise.

Install only if you are comfortable giving the skill access to repositories through your local git and authenticated gh account. Keep pushes and PR creation under explicit user control, review the target repo and branch before use, and prefer fixing or disabling scripts/create_pr.py until it validates inputs, uses shell-free subprocess argument lists, requires confirmation, and creates draft PRs by default. Clear local audit logs after use on private code if they may contain sensitive diffs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(cmd, check=True):
    """Run shell command and return output."""
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    if check and result.returncode != 0:
        print(f"Command failed: {cmd}", file=sys.stderr)
        print(f"Error: {result.stderr}", file=sys.stderr)
Confidence
99% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Step 5: Execute
        work_dir = cwd or self._working_dir
        try:
            result = subprocess.run(
                command,
                shell=True,
                capture_output=True,
Confidence
95% confidence
Finding
result = subprocess.run( command, shell=True, capture_output=True, text=True, cwd=work_dir,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Execute
        work_dir = cwd or self._working_dir
        try:
            result = subprocess.run(
                command, shell=True, capture_output=True, text=True,
                cwd=work_dir,
                timeout=self.guardrails.behavior.get("timeoutMinutes", 15) * 60
Confidence
97% confidence
Finding
result = subprocess.run( command, shell=True, capture_output=True, text=True, cwd=work_dir, timeout=self.guardrails.behavior.get("timeoutMin

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs the agent to perform high-risk operations including shell execution, network access, repository cloning, file modification, git push, and PR creation, yet the manifest shown in this file declares no explicit permissions. That creates a dangerous trust gap: a caller or platform may underestimate the skill's capabilities and allow it to run in contexts where those capabilities should require explicit review or sandbox restrictions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill advertises a guarded GitHub issue resolution workflow, but the documented behavior includes broad shell execution via a wrapper, persistent local state and audit writes, issue locking, git operations, and PR creation. Even if those actions are framed as guarded, the mismatch means reviewers and users may approve the skill for a narrower purpose than it actually enables, which can conceal materially risky side effects and expand the blast radius of prompt injection or misuse.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script's stated purpose is creating a PR, but its generic run_cmd wrapper can execute arbitrary shell strings and is used for multiple state-changing operations. In this agent context, that broader shell capability is unnecessary and increases the blast radius from simple argument handling bugs into full command execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The logger persists action metadata, decisions, repository identifiers, issue numbers, and arbitrary details to disk automatically with no minimization, redaction, or explicit disclosure. In an autonomous GitHub issue resolver, those fields can easily contain sensitive repository context, prompts, paths, error output, or token-adjacent data, creating unintended local data retention and exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Raw diff content is written verbatim to patch files on disk, which can capture source code, configuration values, embedded secrets, or proprietary content. In this skill's context, the agent operates on GitHub repositories and may touch private codebases, so persisting full patches materially increases data leakage risk beyond transient in-memory processing.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The generated decisions markdown creates a human-readable aggregation of actions, decisions, and approvals, making sensitive operational context easier to browse and exfiltrate than raw JSON logs. While lower risk than full diff persistence, it still increases exposure of repository activity and internal reasoning without clear notice or access controls.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script creates a branch, pushes to origin, and opens a PR without any confirmation or dry-run gate. In an autonomous issue-resolver skill, this increases the risk of unintended remote changes, especially if the agent is tricked into acting on the wrong repository, branch, or issue context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.