YouTrack Issue Tracker

Security checks across malware telemetry and agentic risk

Overview

This YouTrack skill is not malicious, but it needs review because it asks agents to use a missing CLI tool and includes broad issue-changing commands with limited safeguards.

Before installing, verify what `ytctl` will actually run, since it is referenced but not packaged in this artifact. Use a least-privilege YouTrack token, prefer narrow queries, run dry-run previews first, and require explicit confirmation before creating, updating, assigning, or commenting on multiple issues.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill documents bulk-update, bulk-comment, and bulk-assign commands that can modify many issues at once, but it does not clearly warn that these are mass-changing operations or require strong confirmation practices beyond mentioning an optional dry-run for some examples. In an agent context, this increases the chance of accidental large-scale edits, spam comments, or reassignment across projects if a query is broad or mis-specified.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal