Back to skill

Security audit

GitHub Bounty Finder Pro

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the advertised bounty search, but users should protect the GitHub and Algora credentials it requires.

Before installing, review the npm dependencies, create dedicated least-privilege GitHub and Algora credentials, keep .env out of version control and support bundles, restrict local file access where possible, and rotate any token that may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README instructs users to place live GitHub and Algora credentials into a local .env file but does not warn them to keep that file out of version control, avoid sharing it, or use least-privilege tokens. This creates a realistic risk of accidental credential leakage through commits, screenshots, support bundles, or copied examples, especially because the document includes token-like examples and step-by-step setup guidance.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The manifest explicitly requires a GitHub Personal Access Token and an Algora API key but provides no user-facing guidance on secure handling, minimum required scopes, storage, or redaction. This increases the risk that users will provide over-privileged credentials or expose secrets through CLI history, config files, logs, or support artifacts.

Credential Access

High
Category
Privilege Escalation
Content
clawhub install github-bounty-finder

# Configure
echo "GITHUB_TOKEN=your_token" > .env
echo "ALGORA_API_KEY=your_key" >> .env

# Scan for bounties
Confidence
92% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# Configure
echo "GITHUB_TOKEN=your_token" > .env
echo "ALGORA_API_KEY=your_key" >> .env

# Scan for bounties
github-bounty-finder scan
Confidence
92% confidence
Finding
.env

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/scanner.js:11

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
README.md:69