git-sync

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its sync-and-publish purpose, but it handles stored Git credentials and changes global Git credential settings in ways users should review before installing.

Install only if you intend this skill to publish skill repositories to Gitee/GitHub and are comfortable with it modifying README/manifest files, deleting and recreating destination skill folders, committing and pushing changes, and using local Git credentials. Prefer running it in a dedicated work repository with backups, and review or remove the global Git credential.helper changes before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill declares no meaningful permissions while its documented workflow clearly involves shell execution, local file reads/writes, network pushes to GitHub/Gitee, and likely environment access for credentials. This mismatch weakens user consent and policy enforcement because a caller may invoke a high-impact publishing skill believing it is low-privilege.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The stated description focuses on syncing and packaging, but the skill also indicates broader behaviors such as sensitive-content scanning/modification, manifest/version state updates, README regeneration, index generation, and cleanup/deletion of old artifacts. Under-described destructive or content-rewriting actions are dangerous because they can overwrite repository state or remove files beyond what a user reasonably expects from a 'sync' operation.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The permission document contradicts itself by claiming there is no critical_write while also stating that README.md is updated. This can mislead reviewers and users about the skill's real write scope, weakening consent and risk evaluation for file modification behavior.

Intent-Code Divergence

Low

Confidence: 97% confidence
Finding: The document first states network_access is 0, then later acknowledges git push to Gitee/GitHub. Misstating network capability is security-relevant because users may approve the skill under the false belief that it never sends data off-host, when in fact repository contents can be transmitted to remote services.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The safety claim in the docstring says only temporary directories should be modified and source directories should only be logged, but `is_temp_dir()` treats any path containing `temp` or `tmp` as safe. That means ordinary non-temporary source paths such as project folders with those substrings can be misclassified and have matching files deleted, creating a real integrity risk during packaging workflows.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script reads plaintext credentials from ~/.git-credentials, reconstructs credential-bearing URLs, and temporarily rewrites remotes to embed those secrets for push/pull operations. This exposes local credentials to any code path that can invoke the script, increases leakage risk through process arguments/config/state, and goes beyond the minimal privilege needed for a sync/package utility.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script changes global Git configuration to credential.helper=store and creates ~/.git-credentials if missing, affecting the user's entire Git environment outside this repository. That broad persistent side effect can downgrade credential security and alter unrelated repositories without clear consent.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger conditions use broad phrases such as '同步、上传、推送、打包' and allow expansive behavior like syncing all entries when certain wording appears. Overlapping with common user language increases the chance of unintended activation of destructive or networked operations, especially given the skill can delete files and push to remote repositories.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Silently reconfiguring global credential storage and creating a credential file without explicit notice or consent is a risky hidden side effect. It can cause users to store future Git credentials in plaintext unexpectedly, broadening exposure beyond the immediate script execution.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script uses `rsync -a --delete` to mirror content into the working repository, which can remove files from the destination that are not present in the source. Although there is a path-boundary check, there is no explicit destructive-action confirmation or dry-run by default, so a mistaken skill name or bad source state can silently delete repository content.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script automatically performs `git push` to Gitee and GitHub, transmitting repository contents to external services without an explicit consent gate at push time. In this skill's context, it handles skill packaging and may process user-authored files, so silent external publication increases the risk of accidental data disclosure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal