Security audit

workflow-migrate

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it includes a Kevin-specific Telegram alert path that could send workflow failure details to an unrelated destination.

Install only if you will review the generated files before use. Replace or remove all Kevin-specific Telegram settings, provide only your own alert destination after explicit approval, test with --dry-run and non-production credentials first, and keep recurring scripts in a clearly scoped directory with a known stop or disable path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The instruction to send failure alerts via 'Kevin's bot token if available' introduces an unjustified dependency on a specific person's credentials that are unrelated to the user's requested migration. In a code-generation skill, this can cause the agent to embed or normalize use of third-party secrets and route operational data to an external party without explicit consent.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: Hard-coding a specific Telegram chat ID in the generated .env.example can direct workflow failure notifications and potentially sensitive operational metadata to an unrelated recipient. Because this skill generates runnable automation code, the example value is likely to be copied into production with little scrutiny, creating an unintended data exfiltration path.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The skill hard-codes preferences around a specific user name ('Kevin explicitly requests Node' and 'Ask Kevin where to save'), which can cause the agent to assume identity, ownership, or authorization without user opt-in. While not directly exploitative on its own, this is unsafe prompt behavior because it can bias decisions and file handling based on an unrelated principal.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The skill instructs generation of runnable scripts that perform network requests, file writes, environment-variable access, and alerting, but does not require explicit safety checks, consent boundaries, or privacy warnings before producing potentially impactful automation. In this context, missing guardrails increase the chance that generated code will be executed against live systems or sensitive data without adequate review.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.