Back to skill

Security audit

pr-reviewer

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but reviewing an untrusted PR could let attacker-controlled filenames influence local command execution.

Install only if you are comfortable reviewing or patching the script first. Use least-privilege GitHub credentials, keep report paths inside the workspace, review generated markdown before running post, and avoid running it on untrusted PRs until filename handling is changed to pass data through stdin, JSON, or arguments instead of interpolating it into Python source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation explicitly states that it writes a state file and markdown review reports, but the skill declares no permissions. This mismatch is a real security issue because consumers and policy engines cannot accurately assess or constrain the skill's side effects, increasing the chance of unauthorized file modification or writes to unexpected locations via configurable paths.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The `post` command sends the generated report directly to GitHub via `gh pr comment ... --body-file`, which can publish potentially sensitive local analysis output without an explicit confirmation step or clear user warning at the moment of execution. In this skill's context, the risk is elevated because reports may include diff-derived findings, commit metadata, PR descriptions, and local lint output, so a user or automation invoking `post` could unintentionally disclose internal details back to a remote service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/pr-review.sh:168