Back to skill

Security audit

yuhang

Security checks across malware telemetry and agentic risk

Overview

This skill has a clear purpose, but it can create or overwrite persistent agent skills from GitHub repositories while using risky local execution and secret-handling patterns.

Install only if you intentionally want an agent to create persistent skills from GitHub repositories. Use trusted public repositories, avoid running it from directories containing sensitive .env files, do not use it for private/internal repositories unless mirrors are disabled and verified, review generated SKILL.md files before use, and run any cloned or generated code in a sandbox.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd_str = f'git clone --depth {config.clone_depth} "{clone_url}" "{target_dir}"'

                print(f"{Colors.INFO}执行命令: {cmd_str}")
                result = subprocess.run(
                    cmd_str, capture_output=True, text=True, timeout=config.timeout, shell=True
                )
Confidence
99% confidence
Finding
result = subprocess.run( cmd_str, capture_output=True, text=True, timeout=config.timeout, shell=True )

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script automatically loads .env files from multiple local directories into the process environment without explicit user consent or scoping. In an agent skill context, this increases exposure of unrelated secrets to all later code paths, network requests, and subprocesses, which exceeds the minimum privileges needed for repository conversion.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill executes shell commands with shell=True for repository cloning, giving it a much broader command-execution capability than necessary for its stated purpose. Because the tool accepts arbitrary repository inputs and constructs command strings dynamically, this becomes a direct command execution risk rather than just an implementation detail.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The comment explicitly asserts the clone URL is safe/controllable, but the code derives clone_url from user-provided repository URLs and mirror transformations before executing it via shell=True. This false safety assumption can lead maintainers to miss a command injection path in a high-risk code path.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation guidance is broad enough that ordinary requests like wanting to use a GitHub tool or install a feature could trigger this skill automatically. Because the skill performs network access and filesystem changes against arbitrary repositories, overly permissive triggering increases the chance of unintended execution on ambiguous user input.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises cloning repositories and generating files but does not prominently warn up front that it will modify the local filesystem and later remove the cloned repository's .git metadata. In a tool that imports arbitrary external content, lack of pre-execution warning can lead users to authorize risky actions without informed consent.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
When --force is set, the script recursively deletes the target directory without an additional confirmation or safety guard at the deletion point. In a skill that writes into user-controlled paths and may be automated, this can cause destructive loss of local data if the target path is miscomputed or unexpectedly broad.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script runs dynamically constructed shell commands from repository and path data without clear up-front disclosure that arbitrary subprocess execution will occur. In agent environments, hidden command execution increases the chance that users invoke the skill assuming passive analysis while it actually performs privileged local actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently imports environment variables from local .env files, including possible credentials, without disclosure at runtime. In a skill context this undermines transparency and can unintentionally broaden the data available to network requests or child processes.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.