Security audit

GitCode Issue Reply

Security checks across malware telemetry and agentic risk

Overview

This skill is a GitCode issue reply assistant, but it needs review because it can post comments, send issue text to DeepWiki, download issue images, and retain issue data locally.

Install only if you are comfortable giving this skill a GitCode token that can read issue data and post comments on your behalf. Use a least-privilege token, avoid private or sensitive issues unless DeepWiki sharing and local caching are acceptable, and review both label actions and final reply text before allowing publication.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (16)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares only an optional environment variable, but its instructions require broad capabilities including shell execution, network access, file read/write, and MCP access. This permission under-declaration is dangerous because it obscures the true trust boundary: a reviewer or orchestrator may approve or sandbox the skill based on incomplete information, while the skill can still read tokens, fetch remote content, write files, and invoke posting actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose says the skill generates reply drafts for maintainer review, but the behavior includes direct comment posting, standalone issue querying, external DeepWiki access, remote image downloading, local persistence, and data transformation not clearly disclosed in the description. This mismatch is dangerous because users and policy layers may invoke the skill expecting a low-risk drafting tool, while it actually performs higher-risk actions that can leak data externally, persist sensitive content, or modify remote state.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The utility code harvests a GitCode access token from multiple sources, including Windows User and Machine environment stores via PowerShell, even though the skill is described as generating draft replies for maintainer review. This broad credential-discovery behavior increases the chance of silently using privileged credentials without explicit user consent and makes the skill more dangerous than its stated purpose suggests.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The shared utility provides a generic authenticated POST primitive to the GitCode API, which enables state-changing operations. In the context of a skill that claims to only generate reply drafts for later maintainer review, this materially exceeds the declared behavior and could be used by other code paths to post comments or modify remote resources without the promised human review step.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The module writes a reusable corpus of full issue contents and metadata to local disk, which expands data retention beyond the skill's declared purpose of drafting a reply for a single issue. In a maintainer-assistant context, this creates unnecessary persistence of potentially sensitive issue text, increasing privacy, data minimization, and cross-task data exposure risk if the workspace is reused or accessible by other components.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The load path restores a disk-backed document corpus and makes it reusable across runs, which broadens the skill from single-issue reply generation into longer-term issue collection and retrieval. That persistence can unintentionally mix data between users or tasks and expose historical issue contents beyond the immediate drafting operation.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The script performs a live state-changing action by posting comments to GitCode, which directly contradicts the skill's declared purpose of only generating reply drafts for maintainer review. This mismatch is dangerous because an orchestrator or user may grant the skill broader trust than warranted, leading to unauthorized or unintended external publication under a valid API token.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code calls api_post() against the issue comments endpoint, giving the skill remote write capability that is not justified by its stated draft-only function. In an agent setting, hidden or under-declared side effects are especially risky because generated content could be published automatically, causing impersonation, data leakage, spam, or workflow manipulation.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The module documentation explicitly states that the script posts a comment, reinforcing that the implementation contradicts the manifest's safer draft-only claim. Documentation mismatches are dangerous in security-sensitive agent ecosystems because they can mislead reviewers, policy engines, or users about actual capabilities and conceal unexpected write actions.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill persists caches and knowledge-base data under the skill directory even though the described purpose is preparing a reply for a single issue. This creates unnecessary local retention of issue content and metadata, increasing the risk of cross-run data leakage, unintended reuse across repositories, and exposure of potentially sensitive issue data on disk.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script downloads issue-linked images and emits base64-encoded copies in output, which materially expands data collection beyond simple reply-draft preparation. Remote image fetching can pull attacker-controlled content into local storage, and base64 embedding amplifies the risk of sensitive screenshots or documents being retained, forwarded, or processed by downstream components.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The DeepWiki query sends issue-derived content to an external service unrelated to the core GitCode API workflow. That can disclose private repository context, issue text, or sensitive operational details to a third party without clear necessity or consent, especially if the issue is internal or contains secrets.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The script advertises itself as 'read-only' while actually creating directories, writing cache files, persisting outputs, and downloading content locally. This mismatch is dangerous because users and higher-level orchestration may grant trust, permissions, or execution based on the false assumption that no state-changing or data-retaining behavior occurs.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The utility code fetches arbitrary image URLs from issue content, writes the responses to local disk, and converts them to base64. That behavior expands the skill from simple reply drafting into processing untrusted remote content, creating unnecessary attack surface such as SSRF-like outbound requests, resource exhaustion from large files, and unexpected local data handling that is not disclosed by the skill description.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The code sends repository names and user questions to an external DeepWiki MCP endpoint that is not mentioned in the manifest. Undisclosed third-party network access can leak user/repository data, create compliance issues, and surprise operators who expected the skill to only draft a reply from issue context.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code writes downloaded images and issue output files to disk without a clear user-facing warning or consent at the point where persistence occurs. In practice this can surprise users, leave sensitive issue artifacts on shared hosts, and create forensic or compliance exposure if screenshots or private issue details are stored locally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal