Git Repo to Book

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent repo-to-book workflow, but it gives agents broad file, credential, subagent, external-service, and git publishing authority without enough scoping or approval gates.

Install only if you are comfortable with a long-running agent workflow that reads repositories, writes many files, uses external AI/research services, handles provider keys, and may publish to git. Use it in a clean working directory, avoid private or sensitive repos unless approved, review remotes and diffs before any push, and require explicit confirmation before exporting credentials, overwriting chapters, creating PRs, merging, or publishing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill instructs the agent to inspect the user's local OpenClaw config and export API keys as environment variables for downstream use. Accessing and re-exposing secrets from local configuration is highly sensitive and exceeds what should happen implicitly in a book-writing workflow, especially when subagents and external tools are involved.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README names multiple external models and states that parallel research, writing, and review agents will be spawned, but it does not clearly warn that source material and user content may be transmitted to third-party AI providers. This creates privacy, confidentiality, and cost risks because users may provide proprietary repositories or manuscripts without realizing the data exposure and multiplied token spend from parallel execution.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README names multiple external models and states that parallel research, writing, and review agents will be spawned, but it does not clearly warn that source material and user content may be transmitted to third-party AI providers. This creates privacy, confidentiality, and cost risks because users may provide proprietary repositories or manuscripts without realizing the data exposure and multiplied token spend from parallel execution.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The triggers are broad and include short/common phrases, increasing the chance of accidental invocation. Because this skill can clone repos, overwrite files, run shell commands, and push to git, unintended activation materially raises the risk of unwanted local changes or data transmission.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill describes cloning repositories, overwriting chapter files, committing changes, and pushing remotely, but it does not consistently warn users that local and remote repositories will be modified. In a repository-writing context, silent in-place modification and publication can cause data loss, branch pollution, or unintended disclosure.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Reading API keys from local config and exporting them as environment variables without a clear privacy warning or explicit consent exposes sensitive credentials to broader process scope. Those keys could be inherited by spawned processes or mishandled by logs and tooling, turning a writing workflow into secret exposure risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill sends repository identifiers and potentially derived content to third-party services such as DeepWiki and web research providers, but does not clearly warn users that project information may leave the local environment. For private, sensitive, or unpublished repos, that can result in unintended disclosure of proprietary information.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases are broad enough to activate this skill for many generic writing requests, not just repo-to-book workflows. Because the skill requires powerful tools like exec, sessions_spawn, read, and write, accidental invocation can route ordinary user prompts into a high-privilege multi-agent workflow, increasing the chance of unnecessary file access, command execution, or unintended orchestration.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The regex patterns are underspecified and can match a wide range of unrelated prompts, such as any request containing 'technical book' or loosely phrased 'write ... book'. In this skill's context, ambiguous matching is more dangerous because invocation grants access to high-capability tooling and parallel agent spawning, which amplifies the consequences of misrouting a user request.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The agenda explicitly instructs the workflow to perform a `git push` to a remote repository as part of the normal publish phase, but it does not include any warning, confirmation step, or restriction on what remote is being used. In an agentic workflow, this creates a real risk of unintentionally exfiltrating generated or source-derived content to an external destination, especially if the repository or remote contains sensitive material or is misconfigured.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal