Security audit

skill-distributor

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but its optional publishing path handles GitHub credentials and repository writes in a risky, under-scoped way.

Use this skill first in generation-only mode. Do not paste a broad or long-lived GitHub token into chat; use a fine-grained token limited to one repository, verify the destination repo, inspect diffs, back up README.md, and remove any tokenized remote URL after publishing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The template is supposed to help distribute the current skill, but it embeds a different skill identity (`ai-usage-collector`) and unrelated repository/description. This can mislead maintainers and users into submitting or publishing incorrect content, causing accidental impersonation, provenance confusion, and distribution of a different skill than intended.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The example invocation is very broad and natural-language-like, which increases the chance the skill is triggered unintentionally during ordinary conversation. Because this skill performs file-reading and content-generation workflows over a user-supplied path, accidental activation could cause unintended processing of local skill directories or creation of distribution artifacts.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger words include broad natural-language phrases such as '帮我发到各平台' and '一键发布', which may cause the skill to activate unintentionally during ordinary conversation. Because the skill has Write and Bash permissions, accidental invocation could lead to unwanted file generation, repository modifications, or external publishing steps being prepared.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill asks users to provide a GitHub Token for automated push operations, but the guidance does not define safe collection, masking, storage, redaction, or one-time use handling. In an agent context, this creates a meaningful risk of credential exposure in chat logs, shell history, generated files, remote URLs, or error output, which could enable repository compromise.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The instructions explicitly copy distro/github/README.md over the repository root README.md, which can overwrite user content and change the visible project description. While not a credential or code-execution issue, it is still a potentially destructive write operation that may cause data loss or unintended repository changes if performed without strong warning and confirmation.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The template promotes bulk extraction of colleagues' AI-usage data from WeChat text and screenshots without any consent, minimization, or sensitive-data handling guidance. In a distribution template, this normalizes privacy-invasive use cases and could lead operators to collect personal or workplace data in ways that violate policy, confidentiality expectations, or local privacy law.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.