Cann Review

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches a PR review automation purpose, but it ships hard-coded GitCode credentials and some automation can mark or comment on PRs without a real completed review.

Install only after removing and rotating the embedded GitCode token, confirming the skill uses your own least-privilege token from environment or config, and disabling scheduled/bulk review until you verify it performs real analysis before posting comments or marking PRs reviewed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (38)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """调用 GitCode API""" sep = '&' if '?' in url else '?' cmd = f'curl -s "{url}{sep}access_token={TOKEN}&per_page=100"' result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=10) if result.returncode != 0: return None try:
Confidence: 97% confidence
Finding: result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=10)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 使用access_token参数而非Bearer token，因为Bearer方式会截断评论列表 sep = '&' if '?' in url else '?' cmd = f'curl -s "{url}{sep}access_token={TOKEN}&per_page=100"' result = subprocess.run(cmd, shell=True, capture_output=True, text=True) try: return json.loads(result.stdout) except:
Confidence: 98% confidence
Finding: result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill describes capabilities that read and write local files and execute shell commands, but it declares no permissions. That mismatch weakens security review and consent boundaries because the platform or user may not realize the skill can access configuration files, tokens, and execute local scripts. In this context, the risk is amplified because the skill also handles API credentials and automation workflows.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented behavior goes beyond user-requested PR review into autonomous repository scanning, bulk review posting, local state management, and other operational behaviors not reflected in the declared purpose. This is dangerous because users may invoke a seemingly narrow review skill while actually authorizing broad monitoring and outbound actions across repositories. The mismatch materially increases the attack surface and reduces informed consent.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The guide expands the skill from on-demand PR review into scheduled autonomous scanning of multiple repositories and automatic posting of results. This changes the trust and execution model materially: the agent can act without a direct user request, increasing the chance of unintended data access, noisy automation, or misuse at scale across repositories.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Sending review results to external channels such as Telegram introduces an unnecessary data egress path beyond the core purpose of reviewing PRs. Review outputs may contain sensitive code context, internal findings, repository metadata, or security issues that should remain within the source-control system and approved internal workflows.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The documentation includes a hard-coded bearer token in example API calls. Even if intended as an example, publishing credential-like secrets can leak real access if the token is valid, and it normalizes unsafe handling of secrets in copied commands and logs.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The skill warns users not to pass tokens on the command line because they can be recorded in shell history, but the provided examples do exactly that. This contradiction is dangerous because users are likely to copy the examples verbatim, exposing credentials in history, process listings, logs, and transcripts.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill expands from reviewing a user-specified PR to autonomous scheduled scanning and bulk reviewing across multiple repositories. That scope expansion is security-relevant because it turns a targeted review tool into a monitoring and mass-posting agent with broader data access and outbound effects.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script presents itself as an automatic PR review tool, but the actual behavior only posts a generic marker comment and never analyzes diffs, files, or code quality/security issues. In a code-review skill context, this is dangerous because it can create false assurance that security review occurred, causing risky changes to be trusted or merged without real inspection.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The file header says this performs a real automatic review and actually posts comments, while the posted message states it is only a preliminary marker and not a full review report. This inconsistency can mislead operators and downstream automation about the trust level of the action, increasing the chance that an unreviewed PR is treated as reviewed.

Description-Behavior Mismatch

Medium

Confidence: 78% confidence
Finding: The script ignores a user-specified PR target and instead scans configured repositories for the next open PR, which can cause review actions to be directed at the wrong repository or PR. In a code-review automation context, acting on an unintended PR can expose private metadata, produce unauthorized comments, or trigger actions against repositories outside the user's intended scope.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script’s advertised purpose is to review PRs, but it only lists a PR, prints metadata, and then records it as already reviewed. This creates a security-significant integrity failure: PRs can be silently skipped from actual review, allowing unsafe or malicious code changes to pass through the workflow under the false appearance of having been processed.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The code explicitly marks the PR as reviewed before any review is performed, which contradicts the comment and undermines the trustworthiness of the review state. In an automated code-review skill, this can suppress future review attempts and let risky PRs evade scrutiny entirely.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script advertises an automatic PR review workflow, but in reality it only selects an open PR and immediately records it as reviewed without inspecting diffs, generating a report, or publishing comments. In a security review context, this creates a silent integrity failure: PRs can be skipped permanently while operators believe they were audited, allowing vulnerable code to pass through unchecked.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The state-tracking logic is used as if it represented completed reviews, but the main workflow calls mark_reviewed before any actual review occurs. This mismatch between documented intent and actual behavior increases the chance of operational bypass, where PRs are excluded from future processing despite never being analyzed.

Description-Behavior Mismatch

High

Confidence: 81% confidence
Finding: The skill metadata claims it automatically analyzes changes, generates reports, and publishes comments, but this script only enumerates PRs and records local state. In a security review workflow, this discrepancy is dangerous because users may wrongly rely on nonexistent review coverage and leave PRs effectively unreviewed while believing they were processed.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The file contains a hard-coded access token and account-specific monitoring logic, which means anyone with access to the code can reuse the credential to query the GitCode API as that account. In a review skill, this is especially dangerous because the embedded credential enables silent access to repository metadata and comments unrelated to the current user's intent.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: A hard-coded API token is embedded directly in the source and then used for authenticated polling of an external service. Anyone who can read the skill file can reuse the credential, and in a shared agent-skill environment this greatly increases the chance of credential theft and unauthorized API access.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script performs autonomous polling across multiple repositories for mentions and emits PR targets for follow-on processing, which exceeds a user-invoked PR review function. In an agent skill context, this broadens data access and behavior scope, enabling background monitoring and action on repositories without an explicit per-request trigger from the user.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The package defines a postinstall hook that executes a shell script during installation, which creates code-execution behavior beyond the skill's stated purpose of reviewing PRs. In a skill ecosystem, installation-time execution is risky because users may install the package expecting passive review functionality, while the script can run arbitrary commands on the host without additional consent.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: A shell-based postinstall capability is not obviously justified for a PR review skill, so it materially increases the attack surface with no clear functional need visible in this file. Because postinstall runs automatically in many package manager workflows, it can be abused for environment modification, data access, or persistence at install time.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: A hardcoded bearer token is a real credential exposure: anyone who can read the file, logs, backups, or repository history may reuse it to post comments or access related API functionality. In an agent skill that automatically reviews PRs and publishes comments, embedding a live token is especially dangerous because the skill is designed to operate against external services and may run in shared or semi-trusted environments.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script contains a hardcoded GitCode Bearer token and immediately uses it to authenticate to the GitCode API. Embedding live credentials in a repository or skill artifact enables token theft, unauthorized API access, and reuse by anyone who can read the file, which is especially dangerous in an automation skill that may be broadly shared or executed.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly advertises automatic posting of review comments and `/lgtm`, which means the skill can perform write actions against remote PR threads. Without a clear warning or consent model, users may invoke what appears to be a review tool but unintentionally approve or comment on external repositories, creating integrity and workflow risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal