Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
GitHub Actions Step Flake Audit
Security checks across malware telemetry and agentic risk
Overview
This skill locally analyzes GitHub Actions JSON exports to identify flaky CI steps and does not show hidden network, credential, persistence, or destructive behavior.
Install if you are comfortable letting the skill read the GitHub Actions JSON files matched by RUN_GLOB. Keep RUN_GLOB narrow, because those exports may include repository names, branches, run IDs, job and step names, and GitHub URLs.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)
VirusTotal
64/64 vendors flagged this skill as clean.