Github Bounty Finder

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed bounty-scanning CLI that uses GitHub and Algora credentials for read-oriented searches, with some credential-handling precautions users should follow.

Install only if you are comfortable with a local CLI making authenticated requests to GitHub and Algora. Use a fine-grained or least-privilege GitHub token, keep .env out of version control and shared archives, protect exported result files, and rotate tokens if you suspect exposure.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README tells users to place live GitHub and Algora credentials into a local .env file but does not warn about secret handling, .gitignore, filesystem permissions, shell history, or accidental publication. In a developer tool/agent-skill context, this is a real security weakness because users commonly commit .env files, include them in support bundles, or leave them accessible to other local processes.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs users to place GitHub and Algora credentials in a `.env` file but provides no warning about secure storage, exclusion from version control, or least-privilege token practices. This increases the likelihood of accidental credential exposure through commits, logs, backups, or shared environments, which could enable unauthorized API access or abuse of the user's accounts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal