GitHub 稳定获取

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its GitHub-fetching purpose, but its clone script can turn crafted repository, branch, ref, or path inputs into unintended shell commands.

Review before installing. Use it only with repository URLs, branch names, refs, and output paths you trust, and preferably after fixing shell quoting/validation in github-clone.sh. Be aware it may use your local SSH credentials and may route public fetches through third-party mirrors or CDNs; do not use those mirrors for private repositories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Context-Inappropriate Capability

Low

Confidence: 91% confidence
Finding: The skill goes beyond passive GitHub fetching by instructing the agent to append connectivity results into TOOLS.md, which introduces local file modification behavior. Even though the content appears operationally harmless, expanding write scope increases the chance of unintended persistence, workspace tampering, or modification of unrelated project documentation without explicit user approval.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation phrases are broad everyday requests such as '从 GitHub 获取' and 'git clone 失败', which can cause the skill to trigger in situations the user did not intend. Over-broad auto-invocation is dangerous because it may initiate network access, repository operations, or fallback behaviors without sufficiently specific user consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal