Back to skill

Security audit

spec驱动开发vibe coding skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Git workflow skill, but it needs Review because it stores a Git token on disk and can commit, tag, push, and roll back repository state with limited confirmation controls.

Install only if you trust the publisher and will run it in a controlled workspace. Use a short-lived, repository-scoped token, manually approve clone/push/tag/reset actions, review any auxiliary skills loaded from the repository, and remove the ~/.git-credentials entry after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill is primarily described as a local checkpoint/rollback mechanism, yet it includes `git push origin "checkpoint/${CKPT_ID}"` as an optional step. That creates an unnecessary data exfiltration path: checkpoint tags may expose repository history, workflow timing, and sensitive development state to a remote without an explicit trust boundary, confirmation step, or policy check.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill states rollback must not modify source files, but the documented flow overwrites `current_iter.md` during rollback. This contradiction is dangerous because operators may rely on the non-modification guarantee while the procedure actually mutates repository state beyond Git checkout/reset semantics, increasing risk of data loss or unintended state corruption.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill defines broad natural-language triggers such as starting or running a sprint/iteration, which can match ordinary user conversation and cause the workflow to activate unexpectedly. In this skill, accidental activation is more dangerous than usual because activation can lead to repository cloning, credential setup, checkpoint changes, and eventually remote push behavior across a development lifecycle.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The mandated response format requires pasting the full contents of `auxiliary/skills/available_skills.xml`, which can expose internal skill inventory, file paths, capabilities, and potentially sensitive configuration details to the user. Because the same skill also instructs loading other skills from that inventory, this creates an information-disclosure primitive that can aid prompt extraction, capability mapping, and follow-on abuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is designed to clone a remote repository during `init` and push to the remote during `release` without an explicit user-confirmation gate at the point of execution. In an agent setting, networked read/write actions against repositories are high risk because a mistaken trigger, poisoned prompt context, or misunderstood task can exfiltrate code, modify upstream history, or publish unintended changes.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The skill metadata and body are written in Chinese and strongly prescribe Chinese-language interaction/output without any indication of user language preference or fallback. This can override the caller's expected language and reduce reviewer comprehension, increasing the chance that important review findings are misunderstood or missed in a security-sensitive code review workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill exposes rollback operations that can overwrite working tree and branch state, including `git reset --hard`, without a prominent, explicit user-facing warning at invocation time. In a user-invocable agent skill, destructive repository actions are especially risky because they can irreversibly discard uncommitted work or confuse operators about what state will be changed.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.generated_source_template_injection

User-controlled placeholder is embedded directly into generated source code.

Critical
Code
suspicious.generated_source_template_injection
Location
SKILL.md:237