Back to skill

Security audit

GitHub Token

Security checks across malware telemetry and agentic risk

Overview

This GitHub helper matches its stated purpose, but it needs Review because it handles powerful GitHub tokens unsafely and can push all local changes without a clear review step.

Install only if you are comfortable giving the agent a GitHub token with the chosen repository scopes. Prefer a fine-grained, short-lived PAT limited to one repo, avoid storing it in TOOLS.md or passing it on the command line, manually review git status and diffs before any push, and revoke the token when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises shell, network, and environment-backed capabilities without any declared permission model or explicit guardrails. This creates a governance gap where a high-impact integration can be invoked and operate on sensitive systems or credentials without clear user consent boundaries.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description is broad enough that the skill may trigger on general GitHub-related requests, including cases where the user did not intend to provide or use a Personal Access Token. Over-broad routing increases the chance of unnecessary credential collection or execution of repo-affecting operations in the wrong context.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation instructs users to store a sensitive PAT in TOOLS.md or pass it via --token, but does not warn that both methods can expose secrets through local files, shell history, process listings, logs, or transcripts. Because PATs grant direct GitHub access, accidental disclosure could enable repository compromise, data exfiltration, or malicious pushes.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The clone command embeds the GitHub PAT directly in the repository URL, which can leak the secret via process listings, shell history, error output, logs, or git remote configuration artifacts. In a skill meant to automate GitHub access, this is especially dangerous because users are likely to run it with high-value tokens that grant repository read/write access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The push workflow automatically stages all files with 'git add -A', commits, and pushes without preview or confirmation, which can unintentionally publish secrets, unrelated files, or local-only changes. In an agent skill context, this is more dangerous because automation reduces user scrutiny and can turn a small prompt mistake into immediate exfiltration or repository tampering.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.