Worktree Codex Parallel

Security checks across malware telemetry and agentic risk

Overview

This is a real parallel-coding helper, but it gives agents broad repository authority and can expose logs or local files without enough user control.

Install only if you are comfortable letting autonomous coding agents write, commit, push, open PRs, and potentially merge code. Use a dedicated low-scope GitHub token, avoid sensitive repositories, disable or remove the OpenRouter analysis unless you explicitly want log excerpts sent to a third party, bind the dashboard to localhost or add authentication, and manually review diffs before pushing or merging.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (17)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill exercises file read, shell, and network capabilities but does not declare them, preventing users or policy layers from understanding its true privilege requirements. This weakens informed consent and makes it easier for the skill to perform impactful actions such as reading local config, invoking shells, and contacting remote services without clear disclosure.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented behavior substantially exceeds the stated purpose: beyond local worktree orchestration it reads credentials, runs a dashboard service, auto-commits changes, pushes branches, and merges PRs via API. That mismatch is dangerous because users may invoke a seemingly local coordination skill without realizing it can access secrets and make irreversible repository changes.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The documentation expands a local orchestration tool into a repository-modifying automation flow that can push branches and merge pull requests. Even if intended for productivity, this increases blast radius from local task execution to remote source-control changes with organizational impact.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs reading a GitHub token from another skill's configuration file, which is credential access beyond the apparent need of worktree setup. Cross-skill secret reuse is dangerous because it expands trust boundaries, can expose credentials to unrelated workflows, and may lead to unauthorized repository actions if the token is overprivileged.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The dashboard includes a background feature that calls a third-party AI service even though the skill's stated purpose is local worktree/Codex orchestration and monitoring. This expands the trust boundary unexpectedly and can transmit operational data off-host in a way users would not reasonably infer from the manifest.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code silently reads an OpenRouter API key from a local config file to enable third-party analysis, but this credential access is unrelated to the stated orchestration role. Hidden credential use increases surprise, broadens the attack surface, and makes it easier for sensitive local configuration to be used in ways the operator did not expect.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code builds prompts from agent logs, metrics, and log tail content, then sends them to OpenRouter for qualitative analysis. Agent logs commonly contain source code, file paths, shell commands, session identifiers, error traces, and potentially secrets, so this creates a real data-exfiltration path to a third party without necessity for core functionality.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The activation phrases are broad enough to match ordinary requests about collaboration or parallel coding, increasing the chance that a high-privilege orchestration skill activates unexpectedly. In context, accidental activation matters because the skill can spawn processes, read config, and perform repository actions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill references secret retrieval and automatic GitHub actions without a clear user-facing warning about privacy, token use, or repository impact. Users may not realize the skill can access local credentials and create or merge PRs on their behalf, undermining informed consent for sensitive actions.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The instructions recommend dangerous sandbox-bypass flags such as disabling approvals and sandbox protections, which materially lowers containment against file-system and command abuse. In this skill's context, those flags are especially risky because the same workflow also handles credentials, shell execution, and networked repository operations.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The dashboard sends agent log excerpts and metrics to an external AI service without any user-facing warning, consent flow, or visible indication before transmission occurs. This undermines informed consent and can leak sensitive build, code, or environment details to a third-party processor unexpectedly.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The code reads API credentials from a local config file with no disclosure, which is risky because operators may not realize this dashboard consumes and uses their third-party service credentials. While not direct exfiltration by itself, it contributes to a hidden capability that supports unexpected outbound transmission.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script automatically stages and commits all workspace changes without user review, then bypasses git hooks with --no-verify. In a coding-agent workflow, this can silently record unsafe, policy-violating, or secret-bearing changes and defeats local safeguards meant to catch them before commit.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The task prompt is passed directly to the Codex CLI, which is configured to use an external model endpoint, but the script provides no runtime disclosure or consent step. In this context, prompts may include proprietary code, issue details, or secrets from the worktree, making unintended external transmission a meaningful confidentiality risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script forcibly removes an existing worktree entry and then recursively deletes the corresponding directory with no confirmation, dry-run mode, or path safety validation beyond string construction. In this skill's context, which orchestrates multiple parallel coding worktrees, this behavior is more dangerous because users may rerun setup against active worktrees and unintentionally destroy uncommitted work or delete an unintended path if agent names or base paths are misconfigured.

External Transmission

Medium

Category: Data Exfiltration
Content: 验证通过后通过 GitHub API 合并： ```bash curl -s -X PUT \ -H "Authorization: Bearer $GH_TOKEN" \ -H "Accept: application/vnd.github+json" \ "https://api.github.com/repos/<owner/repo>/pulls/<pr_number>/merge" \
Confidence: 90% confidence
Finding: curl -s -X PUT \ -H "Authorization: Bearer $GH_TOKEN" \ -H "Accept: application/vnd.github+json" \ "https://api.github.com/repos/<owner/repo>/pulls/<pr_number>/merge" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: curl -s -X PUT \ -H "Authorization: Bearer $GH_TOKEN" \ -H "Accept: application/vnd.github+json" \ "https://api.github.com/repos/<owner/repo>/pulls/<pr_number>/merge" \ -d '{"merge_method": "squash"}' ```
Confidence: 87% confidence
Finding: https://api.github.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal