Back to skill

Security audit

Auto Pr Merger

Security checks across malware telemetry and agentic risk

Overview

This skill automates PR merging, but it also makes unreviewed code changes, pushes and merges them, and sends repository content to Gemini with under-disclosed credential handling.

Review this skill carefully before installing. Only run it in repositories where automated commits, pushes, branch deletion, and PR merges are acceptable, and avoid using it with production GitHub credentials or repositories containing secrets. Expect repository code, conflict contents, and test output to be sent to Gemini if a GEMINI_API_KEY is available. Prefer a version with explicit opt-in for external LLM use, no parent-directory .env scanning, a dry-run mode, and human approval before commit, push, or merge.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill searches local .env files for a GEMINI_API_KEY and then sends repository-derived content, including whole file contents and merge-conflict text, to an external LLM service. This creates a clear credential-access plus data-exfiltration path that can leak proprietary source, secrets embedded in files, or sensitive test output outside the repository boundary.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill performs powerful repository mutations: fetching, merging branches, resolving conflicts, overwriting files, committing, pushing, and merging PRs automatically. In this context, broad write and remote merge capabilities can damage code integrity, merge unsafe changes, or overwrite developer intent at scale if the automation behaves incorrectly or is triggered with untrusted inputs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly describes behavior that can commit, push, and merge code changes, but it does not warn the user that invoking it may directly modify a repository and trigger an automatic merge. In an agentic context, this omission is dangerous because users may treat the skill as a test helper while it actually performs privileged state-changing actions on remote code, increasing the chance of unintended code integration or repository compromise.

Missing User Warnings

High
Confidence
99% confidence
Finding
The --test argument is passed directly into execSync via run(testCommand), so any caller-controlled shell metacharacters or chained commands will execute with the privileges of the process. This is classic command injection and is especially dangerous in automation that also has git and GitHub credentials available.

Missing User Warnings

High
Confidence
94% confidence
Finding
The tool accepts arbitrary LLM output, overwrites repository files, stages all changes, commits, and pushes automatically. This creates an unreviewed code-modification pipeline where prompt injection, malicious test output, or model mistakes can result in harmful code being committed and propagated remotely.

Missing User Warnings

High
Confidence
93% confidence
Finding
During conflict resolution, the skill sends conflicted file content to an LLM, writes the returned text directly back to disk, stages it, commits it, and pushes it. That means merge conflict markers or adversarial code/context can influence an external model to produce insecure or destructive code that is accepted without human verification.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill transmits prompt content to a third-party LLM endpoint without any visible privacy notice or consent flow, and those prompts can include repository code and failure output. Even if intended for debugging, this is an external data disclosure risk that may violate confidentiality expectations or data-handling policies.

VirusTotal

No VirusTotal findings

View on VirusTotal