Repo Research

Security checks across malware telemetry and agentic risk

Overview

This is mostly a disclosed GitHub research tool, but it needs Review because it can automatically install another skill and writes/clones content to local paths with loose controls.

Install only if you are comfortable with a skill that clones arbitrary GitHub repositories and creates local research folders. Before using theme search, require explicit approval before installing find-skills, and edit or remove the bundled config.yaml absolute output path so reports are written somewhere you choose.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The document first says missing dependencies should trigger a prompt to install, but later instructs automatic installation of find-skills. Auto-installing another skill changes the environment and can fetch unreviewed remote content without clear user consent, which is risky in a tool that already handles untrusted repositories.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill includes capability to install other skills as part of normal workflow, which is an unnecessary environment-modification power for a repo research tool. Because skills are remote and potentially adversarial, automatic installation expands the trust boundary and could introduce malicious code or prompts into the agent environment.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The activation phrases are broad enough to trigger on ordinary discussion about analysis or inspiration, increasing the chance the skill runs without clear user intent. In this skill, unintended activation is more dangerous because execution may clone remote repositories and write reports locally.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: Theme-search mode is triggered by generic requests to 'find' or 'search' projects, but the mode can lead to dependency checks, possible installation flows, network access, cloning, and local writes. Ambiguous activation raises the risk of the agent performing higher-impact actions than the user expected.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: Advanced features like search, architecture analysis, and Q&A are mapped to everyday language, which can cause the agent to perform code inspection or other nontrivial operations unintentionally. Since the skill operates on untrusted repositories and local output paths, accidental activation widens exposure to prompt injection and unsafe side effects.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill description does not clearly warn that it clones arbitrary remote repositories and writes analysis outputs to local directories. That omission undermines informed consent and increases risk because users may invoke the skill without realizing it will create files, consume disk space, or interact with untrusted remote content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal