PR + Commit Workflow

Security checks across malware telemetry and agentic risk

Overview

This PR workflow skill is not clearly malicious, but it asks agents to publish full prompt history and environment details into pull requests, which can expose sensitive information.

Install only if you are comfortable with PRs containing agent prompt history and local environment details. Before using it, require manual review and redaction of prompts, secrets, internal paths, tokens, private instructions, and personal data, and avoid using it unchanged on public or sensitive repositories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The skill’s declared purpose is PR/commit workflow enforcement, but it explicitly references `scripts/build_pr_body.sh` to collect environment metadata for PR content. That creates a capability outside the stated scope and can expose local runtime details such as environment, tooling, or host information into PR text or logs, which is risky in agentic workflows where users may not expect data collection. The mismatch also reduces transparency and makes it easier to smuggle unnecessary telemetry into developer workflows.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script collects agent, model, terminal, and operating system metadata that is not necessary to build a PR body structure. In a PR/commit workflow skill, this creates avoidable fingerprinting and disclosure of local environment details, which may leak sensitive operational context into logs, generated PR text, or downstream systems.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The behavior performs runtime fingerprinting by probing environment variables and local filesystem paths associated with specific agent tools and terminals. In the stated skill context, which is supposed to enforce human-written PR structure and evidence, this is out of scope and increases risk by identifying the execution environment for no clear security or functional need.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The README says the skill activates whenever creating commits or PRs, without narrowing scope to trusted repositories, explicit user confirmation, or sensitivity checks. In a workflow skill, this broad trigger can cause the skill to run during routine development and automatically apply data-collection or disclosure behavior in contexts where the user did not intend it.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The README explicitly promotes capturing full prompt history and environment metadata for inclusion in PRs, but provides no strong privacy warning, redaction guidance, or consent gate. Prompt histories and environment details frequently contain secrets, internal paths, hostnames, usernames, repository context, or sensitive instructions, so normalizing their disclosure creates a substantial exfiltration risk.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The workflow instructs agents to include the full prompt history verbatim in PR content, with only partial redaction for explicitly recognized sensitive portions. This creates a strong risk of exposing secrets, internal instructions, access tokens, proprietary prompts, or personal data in a durable and broadly visible artifact such as a pull request, especially because users are not warned to review or minimize disclosures before publication.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The script reads multiple environment variables and local metadata sources without any user-facing notice or apparent necessity for the advertised feature. While the data gathered is not highly sensitive by itself, undisclosed collection undermines user expectations and can contribute to profiling or accidental exposure when incorporated into workflow output.

Ssd 3

Medium

Confidence: 98% confidence
Finding: By presenting full prompt-history capture and environment recording as a standard workflow feature, the skill encourages users and agents to publish sensitive natural-language inputs and execution context into shared PR artifacts. In the context of code-review workflows, this is especially dangerous because PRs are commonly visible to teams, forks, CI systems, and external contributors, magnifying the blast radius of any leaked data.

Ssd 3

Medium

Confidence: 99% confidence
Finding: The example PR states that real PRs include full verbatim prompts, directly reinforcing a practice of copying raw user interactions into repository artifacts. This can leak credentials, proprietary instructions, personal data, security-relevant context, or internal operational details, and the example makes that behavior appear expected and acceptable.

Ssd 3

High

Confidence: 99% confidence
Finding: Requiring verbatim prompt history and environment metadata in the PR body is a natural-language exfiltration channel: it can disclose confidential prompts, repository-specific instructions, internal tooling details, host environment data, and other sensitive operational context to reviewers or anyone with PR visibility. In this skill context, the danger is elevated because PRs are collaboration artifacts that are commonly shared, archived, indexed, and retained, making accidental disclosure persistent and hard to remediate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal