OSS Contributor

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its open-source contribution purpose, but it needs Review because it can make public GitHub changes, run third-party repo tests, and unnecessarily reads and prints part of a local token.

Install only if you intentionally want an agent to act on GitHub for you. Use a dedicated least-privileged GitHub token, start with --dry-run, avoid --auto/--yes until reviewed, restrict repositories with an allowlist, run unknown repos in a sandbox, and remove the local token-read and token-prefix echo before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The skill declares GH_TOKEN as the primary environment secret, but later instructs the sub-agent to override it by reading a token from an unrelated local config file. This expands the skill's access to secrets beyond its stated contract and can cause the agent to use the wrong credential source, increasing the chance of unauthorized secret access and cross-skill credential misuse.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The sub-agent is told to read a GitHub token from an unrelated local secrets file for another skill, which is not necessary for contributing to open source issues. Accessing undeclared local secret material violates least privilege and creates a path for credential harvesting or reuse outside the user's expectations.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill uses an authorization token for external API calls without giving a prominent user-facing warning that GitHub credentials will be transmitted to GitHub and used for account actions. In a user-invocable skill that performs remote operations, lack of clear disclosure increases the risk of users triggering credentialed actions without informed consent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The description advertises discovery and contribution workflows but does not prominently warn that the skill can fork repositories, push code, and open pull requests. Because these are remote write actions affecting external services and public identity, the lack of prominent disclosure makes accidental or uninformed execution more dangerous.

Ssd 3

High

Confidence: 99% confidence
Finding: The sub-agent is instructed to read a token from a local secrets file and print the first characters of it for verification. Even partial credential disclosure is sensitive, and combining secret-file access with output leakage creates a direct exfiltration path for authentication material.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal