Back to skill

Security audit

GitHub Operations

Security checks across malware telemetry and agentic risk

Overview

This GitHub automation skill is mostly purpose-aligned, but it includes an under-scoped history-cleaning command that can rewrite and force-push all branches and tags without confirmation.

Install only if you intentionally need GitHub automation with administrative repository powers. Use least-privilege GitHub tokens, avoid delete or force-push permissions unless required, verify IM webhook/API destinations, and do not run the clean/history feature unless you have backups and are prepared for all branches and tags to be rewritten.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
'--index-filter', f'git rm --cached --ignore-unmatch {file_path}',
                '--prune-empty', '--tag-name-filter', 'cat', '--', '--all'
            ]
            subprocess.run(cmd, check=True, capture_output=True)
            
            # 强制推送到远程
            subprocess.run(['git', 'push', 'origin', '--force', '--all'], check=True, capture_output=True)
Confidence
97% confidence
Finding
subprocess.run(cmd, check=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(cmd, check=True, capture_output=True)
            
            # 强制推送到远程
            subprocess.run(['git', 'push', 'origin', '--force', '--all'], check=True, capture_output=True)
            subprocess.run(['git', 'push', 'origin', '--force', '--tags'], check=True, capture_output=True)
            
            # 清理临时目录
Confidence
95% confidence
Finding
subprocess.run(['git', 'push', 'origin', '--force', '--all'], check=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 强制推送到远程
            subprocess.run(['git', 'push', 'origin', '--force', '--all'], check=True, capture_output=True)
            subprocess.run(['git', 'push', 'origin', '--force', '--tags'], check=True, capture_output=True)
            
            # 清理临时目录
            os.chdir('..')
Confidence
95% confidence
Finding
subprocess.run(['git', 'push', 'origin', '--force', '--tags'], check=True, capture_output=True)

Tainted flow: 'payload' from os.getenv (line 146, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
"type": "text",
            "content": message
        }
        response = requests.post(f"{api_url}/bot/send", json=payload)
        response.raise_for_status()
        return "消息已发送到微信"
Confidence
84% confidence
Finding
response = requests.post(f"{api_url}/bot/send", json=payload)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill demonstrates capabilities to access environment variables, make network requests, and invoke shell commands, but it does not declare permissions or boundaries for those actions. In an agent setting, this weakens user awareness and policy enforcement, increasing the chance of unintended token access, external communication, or command execution without explicit scrutiny.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill manifest describes GitHub and IM operations, but the code also performs local git history rewriting and force-pushes. This hidden expansion of capability is dangerous because users may authorize a seemingly routine GitHub tool without expecting destructive local shell-based repository mutation.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill executes local git subprocesses that are not necessary for ordinary GitHub/IM integration. In this context, unexpected local command execution materially increases risk because it introduces host-level side effects and expands the trust boundary beyond remote API calls.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description is broad enough to match many common GitHub-related requests, which can cause the agent to invoke it in situations the user did not intend. Because the skill includes destructive repository operations and outbound integrations, over-broad triggering materially raises the risk of unsafe or surprising actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes a repository deletion command as a normal usage example without a prominent warning about irreversibility, ownership checks, or confirmation requirements. In a skill that can plausibly be auto-invoked or followed by an agent, this increases the likelihood of accidental destructive actions against production or personal repositories.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest trigger words are broad and generic (for example, "git", "repo", "pr", and "issue"), which can cause this skill to activate in many ordinary developer conversations that do not actually require privileged GitHub operations. Because the skill is designed to handle repository actions and references sensitive credentials in its environment, overbroad activation increases the chance of unnecessary invocation, unintended repository operations, or accidental exposure of high-privilege functionality.

Missing User Warnings

High
Confidence
99% confidence
Finding
The clean command directly invokes history rewrite and force-push without any confirmation, unlike delete_repo which requires explicit user acknowledgement. Because the operation rewrites all branches and tags, accidental invocation or prompt abuse can cause irreversible repository damage at scale.

External Transmission

Medium
Category
Data Exfiltration
Content
"text": message
                }
            }
            response = requests.post(self.feishu_webhook_url, json=payload)
            return response.json()
        return {"error": "FEISHU_WEBHOOK_URL not set"}
```
Confidence
88% confidence
Finding
requests.post(self.feishu_webhook_url, json=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.