MergeIQ: Automatically Score & Prioritise PR Complexity for GitLab and GitHub

Security checks across malware telemetry and agentic risk

Overview

MergeIQ is a local PR/MR complexity scorer; its repository metadata and token examples are expected for GitHub/GitLab use, with no hidden execution or persistence found.

Install only if you are comfortable providing PR/MR metadata to the local scorer and to GitHub or GitLab through the documented API calls. Use least-privilege read-only tokens, prefer environment variables or a secure credential manager, and avoid saving or sharing fetched JSON from private repositories unless needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The examples instruct users to send repository and review metadata to external APIs using bearer/private tokens but provide no warning about credential handling, token scope, shell history, or the sensitivity of repository data. This can lead users to expose secrets or process private code metadata without understanding the risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal