Back to skill

Security audit

Secret Detection

Security checks across malware telemetry and agentic risk

Overview

This is a local secret-scanning git hook, but it can replace an existing pre-commit hook and may print real secrets into local output or logs.

Install only after checking whether your repository already has a pre-commit hook, and back it up first. Avoid running this in shared terminals, CI logs, or agent transcripts unless output is redacted, because detected credentials can be printed. Rotate any real secret that has already appeared in the scanner output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares no required permissions, but its documented behavior clearly includes shell execution, reading repository files, and writing a git hook into .git/hooks/pre-commit. This mismatch is dangerous because it hides the actual capability surface from users and policy systems, reducing informed consent and making it easier for a seemingly simple skill to modify local repository behavior.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The script writes directly to `.git/hooks/pre-commit` and makes it executable without prompting the user or checking for an existing hook. In a developer tooling context this is not inherently malicious, but it can unexpectedly overwrite repository-local security or workflow hooks and alters repo behavior in a persistent way.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.