Back to skill

Security audit

PR + Commit Workflow

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it instructs agents to publish full prompt history and local environment details in pull requests, which can expose sensitive information.

Install only if you are comfortable manually reviewing and redacting prompt history and local environment details before every PR. Avoid using it unchanged on public or sensitive repositories, and require explicit approval before any transcript, terminal, model, OS, internal path, token, secret, or private business context is added to a PR.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill advertises a commit/PR workflow, but it also instructs use of a script that gathers environment metadata. In an agentic context, collecting harness, model, OS, terminal, installed tooling, and related environment details can disclose sensitive operational information beyond the stated purpose and may end up in PR bodies or logs, creating unnecessary fingerprinting and data-leak risk.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This script collects and emits local environment fingerprinting data including the AI harness, model, terminal program/version, and operating system. In a PR/commit workflow, that information is not necessary to enforce PR structure or capture intent, and if included in PR bodies or logs it can leak host and toolchain details that aid profiling, targeting, or deanonymization.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to install and activate a workflow that collects environment metadata and full prompt history, but it does not present a clear warning that this information may be sensitive and could be published in PRs. In a PR/commit skill, that omission is especially risky because users may follow the workflow by default and unintentionally disclose secrets, internal prompts, host details, or other confidential context.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill advertises capturing full prompt history with timestamps for auditability, which creates a direct path for leaking sensitive user inputs, internal instructions, credentials, repository details, or incidentally pasted secrets into PR artifacts. In the context of a workflow skill for commits and PRs, this is more dangerous because the output is designed for sharing with reviewers and potentially public repositories.

Ssd 3

Medium
Confidence
98% confidence
Finding
The workflow explicitly instructs the agent to include full prompt history in PR output, normalizing disclosure of raw interaction data that may contain sensitive business context, credentials, tokens, private URLs, or system prompts. Because PR bodies are routinely shared across teams and may become part of long-lived repository history, the skill materially increases the blast radius of any exposed information.

Ssd 3

Medium
Confidence
96% confidence
Finding
The example states that real PRs include full verbatim prompts, which reinforces unsafe behavior and makes sensitive transcript publication appear expected rather than exceptional. Example content strongly shapes user behavior, so this increases practical leakage risk by encouraging copy-forward of raw prompts into repository-visible artifacts.

Ssd 3

High
Confidence
98% confidence
Finding
The workflow explicitly requires including full prompt history verbatim in the PR body, which creates a direct exfiltration path for secrets, internal prompts, credentials, private data, or other sensitive user inputs that may have appeared during the session. Although it allows redacting only known sensitive portions, verbatim disclosure is unsafe because agents and users may fail to recognize all sensitive material, and PRs are broadly visible to collaborators and sometimes external systems.

Ssd 3

Medium
Confidence
92% confidence
Finding
Requiring Environment metadata and instructing the agent to ask the user to fill unknown fields promotes collection and publication of system details that may reveal internal tooling, model configuration, terminal environment, or infrastructure information. This metadata can aid fingerprinting, social engineering, or targeted attacks, especially when attached to PRs that are retained in repository history and accessible to multiple parties.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.