Security audit

Github Sync Skill

Security checks across malware telemetry and agentic risk

Overview

This GitHub sync skill is mostly coherent, but it includes under-disclosed remote deletion and broad upload behavior that users should review carefully.

Install only if you are comfortable granting a GitHub token that can write to the target repository. Use a fine-grained token limited to one repository, review the files under each skill before syncing, avoid broad or persistent token storage, and do not run cleanup_remote_repo.sh unless you have reviewed a dry run and intend to delete every unlisted remote item.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises shell-based workflows and executable scripts but does not declare any permissions, which undermines user awareness and consent around command execution. In an agent setting, hidden shell capability increases the risk of unintended local file operations, token handling, or repository modification without clear security boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is GitHub synchronization, but the broader behavior includes remote cleanup/deletion, repository creation, local repo inspection, and token permission verification. This mismatch is dangerous because users may consent to 'sync' while the skill performs destructive or higher-privilege operations they did not reasonably expect.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script is not merely synchronizing local skills to GitHub; it enumerates the entire repository and recursively deletes all top-level entries not present in a hardcoded allowlist. In the context of a 'github-sync-skill', this creates a destructive repository-wide purge capability that can remove unrelated content if run with a valid token, making accidental or abusive data loss highly likely.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: A hardcoded repository-wide purge mechanism is not justified by the stated use case of syncing skills, and it operates against fixed OWNER/REPO values. This mismatch between declared purpose and actual behavior increases the chance that users grant trust or credentials for synchronization while unknowingly enabling mass deletion of remote repository contents.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger phrase '备份我的技能' is broad and can match ordinary backup requests that do not imply GitHub publication or remote transmission. In practice this can cause the agent to invoke a networked, state-changing skill in response to ambiguous user intent, leading to unintended upload of local content.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document explicitly recommends persisting a GitHub personal access token in a shell startup file, which increases the chance of long-term local credential exposure through misconfigured file permissions, backups, shell history-adjacent leakage, or accidental dotfile sync to a repository. While this is common convenience advice, it is unsafe without strong warnings and safer alternatives because the token grants repository access.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # 验证 Token 所有者 curl -s -H "Authorization: token $GITHUB_TOKEN" \ https://api.github.com/user | jq -r '.login' # 验证仓库权限 curl -s -H "Authorization: token $GITHUB_TOKEN" \
Confidence: 88% confidence
Finding: https://api.github.com/

External Transmission

Medium

Category: Data Exfiltration
Content: # 验证仓库权限 curl -s -H "Authorization: token $GITHUB_TOKEN" \ https://api.github.com/repos/<owner>/<repo> | jq '.permissions' ``` ## 输出格式
Confidence: 88% confidence
Finding: https://api.github.com/

External Transmission

Medium

Category: Data Exfiltration
Content: # 创建/更新文件 if [ -n "$sha" ]; then result=$(curl -s -X PUT -H "Authorization: token $TOKEN" \ -H "Accept: application/vnd.github.v3+json" \ "https://api.github.com/repos/$OWNER/$REPO/contents/$path" \ -d "{\"message\":\"$message\",\"content\":\"$encoded\",\"sha\":\"$sha\",\"branch\":\"main\"}")
Confidence: 86% confidence
Finding: curl -s -X PUT -H "Authorization: token $TOKEN" \ -H "Accept: application/vnd.github.v3+json" \ "https://api.github.com/repos/$OWNER/$REPO/contents/$path" \ -d "{\"

External Transmission

Medium

Category: Data Exfiltration
Content: if [ -n "$sha" ]; then result=$(curl -s -X PUT -H "Authorization: token $TOKEN" \ -H "Accept: application/vnd.github.v3+json" \ "https://api.github.com/repos/$OWNER/$REPO/contents/$path" \ -d "{\"message\":\"$message\",\"content\":\"$encoded\",\"sha\":\"$sha\",\"branch\":\"main\"}") else result=$(curl -s -X PUT -H "Authorization: token $TOKEN" \
Confidence: 86% confidence
Finding: https://api.github.com/

External Transmission

Medium

Category: Data Exfiltration
Content: else result=$(curl -s -X PUT -H "Authorization: token $TOKEN" \ -H "Accept: application/vnd.github.v3+json" \ "https://api.github.com/repos/$OWNER/$REPO/contents/$path" \ -d "{\"message\":\"$message\",\"content\":\"$encoded\",\"branch\":\"main\"}") fi
Confidence: 86% confidence
Finding: https://api.github.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal