dataify-github-repository-by-repo-url

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Dataify request-building helper, but users should treat the Dataify API token carefully because the docs recommend persistent storage and the helper can print the token into a curl command.

Install only if you intend to build Dataify scraper requests for GitHub repository tools. DATAIFY_API_TOKEN should be treated as a secret: avoid committing shell startup files containing it, avoid sharing generated curl commands that include the literal token, and rotate the token if it is exposed. Expect possible setup friction because the skill references a tool-params catalog and PowerShell helper that are not included in the artifact.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs users to persistently store a sensitive API token in shell startup files such as ~/.bashrc and ~/.zshrc without warning about credential sensitivity, file permissions, shell history exposure, or safer alternatives. This increases the risk of long-lived secret exposure through local compromise, dotfile syncing, backups, shared accounts, or accidental publication.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal