Back to skill

Security audit

CI/CD Pipeline

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only GitHub Actions skill whose deployment and secrets examples are high-impact but visible and aligned with CI/CD work.

Review any generated .github/workflows files before committing them. For deployment, release, Docker, npm publish, or secret-related workflows, use least-privilege tokens, environment protections, trusted or pinned actions, staging tests, and manual approvals where production systems or public artifacts are involved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill provides ready-to-run deployment, publishing, Docker push, and secret-management examples that can directly affect production systems and sensitive credentials, but it does not include explicit cautions, preconditions, or guardrails. In an agent setting, this increases the risk that a user or downstream system applies the examples verbatim to a real repository, causing unintended releases, deployments, package publication, or unsafe secret handling.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.