CI-CD

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only CI/CD skill with standard build and deployment examples; its sensitive credential handling is expected for the topic but should be hardened before use.

Safe to install as a reference skill. Before using these snippets in production, store credentials only in protected CI secret stores, require approvals for production deploys, pin and review third-party actions, avoid caching or uploading signing files, and delete decoded keystores after builds.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The workflow decodes a base64-encoded Android signing keystore directly into the repository workspace, which increases the chance that sensitive signing material is exposed through later steps, artifacts, caches, or accidental commits. In CI/CD context this is meaningful because signing keys are high-value secrets: compromise enables unauthorized app signing and malicious updates that appear legitimate.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal