Security audit

GitHub to RedNote

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed GitHub-to-social-post generator with expected GitHub API use, local outputs, optional image generation, and local caching.

Install only if you are comfortable giving the skill a GitHub token and running its Python scripts. Use a fine-grained read-only token, prefer public repositories or run with --no-cache for sensitive ones, review generated articles before publishing, and install optional packages in a virtual environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 97% confidence
Finding: The skill advertises executable capabilities including environment access, file read/write, network access, and shell use, but declares no permissions. That undermines user consent and platform policy enforcement because a user may invoke what appears to be a simple content-generation skill without realizing it can access local data, make outbound requests, and execute commands.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The documented behavior materially understates what the skill can do: it accesses authenticated GitHub data, writes files, copies content to the clipboard, generates images, and invokes external conversion tools. This mismatch is dangerous because users and reviewers may approve the skill for a narrow purpose while it performs broader actions that affect privacy, integrity of local files, and trust boundaries with external programs.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill states it fetches repository data and README content but does not clearly warn that this requires external network requests. While network access is expected for GitHub-based functionality, failing to disclose it can surprise users in restricted or privacy-sensitive environments and may expose queried repository names, tokens, or metadata to external services.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The code inserts untrusted README content directly into the model prompt, causing prompt injection and data exfiltration risk at the application layer. A malicious repository README can include instructions that steer the model to ignore prior guidance, reveal embedded prompt text, or reproduce sensitive/user-supplied content in generated output; this skill's purpose of converting arbitrary GitHub repos makes that context materially more dangerous.

Ssd 3

Medium

Confidence: 94% confidence
Finding: Appending caller-provided `extra_context` as unchecked natural-language instructions gives external input direct control over model behavior. An attacker can use this channel to override intended generation constraints, elicit hidden prompt content, or cause the model to repeat sensitive repository or system text; in an LLM-driven content-generation skill, that is a realistic prompt-injection vector.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal