Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
GitHub Actions Failure Owner Audit
Security checks across malware telemetry and agentic risk
Overview
This skill is a local reporting tool for GitHub Actions failure exports, with no evidence of hidden network access, persistence, or destructive behavior.
Use this only on GitHub Actions exports you are comfortable analyzing locally. Scope the GitHub CLI export and RUN_GLOB narrowly, and avoid sharing raw output if it contains private repo names, branch names, actor identities, workflow details, or run URLs. Verify the package version if you need the 1.2.0 filter features described in metadata.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)
VirusTotal
66/66 vendors flagged this skill as clean.