Multi Team Coding

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed autonomous coding workflow, but it gives agents broad repository and GitHub authority with too little review control.

Install only if you intentionally want agents to make and publish repository changes. Use a disposable fork first, least-privilege GitHub credentials, protected branches, required human review before push or merge, and keep Playwright auth files and notification contents out of shared or public places.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (20)

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The skill claims a local-first workflow but also documents use of external services such as GitHub, Discord, and OpenClaw notifications. That mismatch can mislead users into exposing repository metadata, task details, or workflow status to third parties without realizing the workflow is not fully local.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The document says the user only needs to review results, yet elsewhere it promotes automatic PR merging without showing a mandatory human approval step. In a coding workflow, this can lead to unreviewed AI-generated code being merged directly into the main branch, increasing the chance of insecure or destructive changes entering the codebase.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script instructs the agent to automatically push branches and create GitHub PRs as part of the generated prompt, which expands execution from local coding assistance into autonomous remote repository modification. Because these write actions are driven by model-produced output and untrusted issue content, they create a meaningful risk of unauthorized or unsafe publication of changes.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The guide recommends automatically creating, reviewing, and merging PRs with minimal human intervention, but does not prominently warn about the risk of merging incorrect, insecure, or malicious AI-generated changes. In this skill context, the danger is elevated because it promotes high-volume autonomous development and quick merges, which can bypass meaningful review and allow vulnerable code to land in the main branch.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The notification example sends operational data, including productivity metrics and report locations, to an external channel without warning about confidentiality, data minimization, or access control. In a coding workflow, such messages can leak repository activity, internal paths, issue volume, or other sensitive project metadata to third-party systems or unintended recipients.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide explicitly instructs users to persist authenticated Playwright storage state to a file and reuse it across tests, but it does not warn that this file may contain active session cookies, tokens, and other sensitive authentication artifacts. If the auth state file is committed, shared between team agents, exposed in CI artifacts, or stored with weak permissions, an attacker could hijack test accounts or access protected environments.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README directly instructs users to run automation that fetches tasks, modifies code, and automatically creates PRs, but it does not warn that these actions can change the repository state or open external-facing artifacts. In a security-sensitive context, encouraging execution of repo-mutating scripts without review, dry-run guidance, or permission scoping increases the risk of unintended changes, unsafe PR creation, and abuse if the underlying scripts process untrusted issue content.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The "one-person company" workflow promotes unattended, one-click project automation with language encouraging the user to leave it running unsupervised, while omitting any warning about broad repository modifications or automated merges. This is more dangerous than ordinary automation guidance because the skill context explicitly emphasizes high-volume commits and PR handling, which can rapidly amplify mistakes or unsafe behavior across a codebase.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill includes fully automated PR merging and branch deletion commands but does not warn that these actions modify repository history and can remove branches. In a high-automation agent context, such commands can accidentally merge unsafe code or delete branches needed for recovery or forensic review.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document promotes near-zero-touch automatic development and merging without explaining the risks to repository integrity, CI stability, and security review. In this context, minimizing human involvement makes mistakes by autonomous coding agents more likely to propagate into production code.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documented rollback uses `git reset --hard HEAD~1` without warning that it irreversibly discards uncommitted work and rewrites the working state. In an automated workflow, that can destroy developer changes or obscure what the agent did during a failed integration attempt.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This troubleshooting guidance again recommends `git reset --hard` to return to a prior commit without warning about permanent loss of local changes. Because this appears in a support section, users may copy it during incidents and unintentionally worsen data loss.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill shows sending project progress details to Feishu/Slack but does not warn that task names, status, and possibly sensitive project information are being sent to external messaging platforms. This creates a privacy and confidentiality risk, especially for proprietary or security-sensitive development work.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The workflow performs `git push` and `gh pr create` automatically, without any confirmation gate, dry run, or review requirement. In this context, the agent is processing untrusted GitHub issue text, so automatic publication can turn prompt injection or model error into immediate repository changes visible to collaborators or CI systems.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script automatically runs `npm init -y`, `npm install -D @playwright/test`, and `npx playwright install` when prerequisites are missing, which modifies the current project and fetches external code without explicit prior warning or confirmation. In a developer workflow skill, this is risky because dependency installation can execute package lifecycle scripts and alter lockfiles or repository state unexpectedly.

Missing User Warnings

High

Confidence: 90% confidence
Finding: The workflow launches background agent commands that are explicitly instructed to save files, run Playwright tests, stage changes, and create git commits, all without a clear approval step per action. Because the generated prompt embeds executable commands and delegates code generation to an external agent, this can lead to unreviewed code execution and repository mutations at scale.

Ssd 4

High

Confidence: 98% confidence
Finding: Untrusted GitHub issue title and body content are interpolated directly into the prompt that drives autonomous coding behavior. Since the prompt then guides file changes, testing, commits, and later publication, a malicious issue can embed instructions that steer the model into making unsafe code changes, exfiltrating data into commits/PRs, or bypassing intended workflow constraints.

Ssd 4

High

Confidence: 97% confidence
Finding: The appended '完成后自动执行' block normalizes a chain of autonomous actions—push, PR creation, and notification—after the model acts on untrusted issue content. This compounds prompt-injection risk by giving malicious or manipulative issue narratives a direct path from text input to externally published code changes with minimal oversight.

Ssd 4

High

Confidence: 98% confidence
Finding: The script retrieves untrusted GitHub issue content and injects it directly into an agent prompt that instructs the agent to modify code, run tests, commit, push, and create a PR autonomously. This creates a prompt-injection path where a malicious issue author can smuggle instructions that cause unintended code changes, data exfiltration, or repository abuse, and the workflow amplifies the risk by giving the agent write actions to git and GitHub.

Ssd 1

High

Confidence: 99% confidence
Finding: The prompt structure tells the agent to 'carefully read issue description' and then perform implementation and release actions, effectively elevating issue text into an authoritative planning source. In this skill's context, that is especially dangerous because the agent is then launched in a repository worktree with autonomous execution and can commit and publish attacker-influenced changes to the remote repository.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal