Search recent repo activities

Security checks across malware telemetry and agentic risk

Overview

This skill is a read-only GitHub activity lookup that sends the user's selected repo and search filters to the disclosed Nom service.

Use this for public GitHub activity searches. Avoid entering sensitive private search terms or repository details, and ensure the agent quotes and URL-encodes user input when forming curl requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The skill performs an external network request to a third-party service using curl, but it does not explicitly warn the user that their query terms and selected repository/org details will be transmitted to beta.nomit.dev. While the data sent is likely low sensitivity in normal use, silent outbound transmission to an external service is still a security and privacy concern, especially in agent environments where users may assume local-only processing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal