Back to skill

Security audit

Follow Github

Security checks across malware telemetry and agentic risk

Overview

This skill behaves like a disclosed GitHub digest tool, but it stores local tokens and can schedule recurring delivery if the user enables it.

Install only if you are comfortable storing narrowly scoped GitHub, Telegram, or Resend tokens under ~/.follow-github and allowing scheduled digest jobs if you enable them. Prefer read-only GitHub permissions, protect the .env file, leave prompts.remoteUrl unset unless you control the source, and use on-demand/stdout delivery if you do not want third-party messaging or background execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill declares environment requirements but operationally instructs the agent to perform network access to GitHub, GitHub Trending, Telegram, and Resend. Undeclared capabilities reduce transparency and can bypass user expectations or policy enforcement around networked skills.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a GitHub digest generator, but it also collects and stores credentials, persists user data, schedules background execution, supports Telegram/email exfiltration paths, and references remotely sourced prompts via configurable URLs. This mismatch increases the chance a user authorizes behavior they did not meaningfully consent to.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script supports loading prompt files from a user-configured remote URL and then includes that content in the final JSON for downstream LLM use. Because prompts directly influence model behavior, this is effectively remote instruction injection: anyone controlling the remote endpoint can alter summaries, exfiltrate data from the assembled digest, or manipulate subsequent agent actions. In a GitHub digest skill, remote prompt execution is not necessary to fulfill the stated purpose, so this materially increases risk.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The README instructs users to handle and store multiple sensitive credentials, and includes a shell command pattern that embeds a token directly in a command line. While this is common setup guidance, command-line arguments can be exposed through shell history, process listings, terminal logs, or screenshots, which increases the chance of accidental credential disclosure.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The invocation guidance includes broad triggers like general GitHub updates or repo digests, which can cause the skill to activate in contexts broader than necessary. Overbroad activation increases the chance of unnecessary credential prompting, file writes, or external network actions.

External Transmission

Medium
Category
Data Exfiltration
Content
7. Fetch the chat ID with:

```bash
curl -s "https://api.telegram.org/bot<TOKEN>/getUpdates" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d['result'][0]['message']['chat']['id'])" 2>/dev/null || echo "No messages found — send a message to your bot first"
```
Save chat ID as `delivery.chatId`.
Confidence
88% confidence
Finding
https://api.telegram.org/

Credential Access

High
Category
Privilege Escalation
Content
All data is fetched **live** from GitHub's API and `github.com/trending` —
there is no central feed. Each user runs their own fetches with their own
GitHub Personal Access Token.

## Detecting Platform
Confidence
90% confidence
Finding
Access Token

Credential Access

High
Category
Privilege Escalation
Content
Save as `github.username` in config.

### Step 3: GitHub Personal Access Token (PAT)

Tell the user:
Confidence
95% confidence
Finding
Access Token

Session Persistence

Medium
Category
Rogue Agent
Content
**Non-persistent agent + Telegram or Email:**
```bash
SKILL_DIR="<absolute path to the follow-github directory>"
(crontab -l 2>/dev/null; echo "<cron expression> cd $SKILL_DIR/scripts && node prepare-digest.js 2>/dev/null | node deliver.js 2>/dev/null") | crontab -
```
Note: this pipes raw JSON to delivery — no LLM remix. For full digests, use
`/gh` manually or switch to OpenClaw.
Confidence
92% confidence
Finding
crontab -l

Session Persistence

Medium
Category
Rogue Agent
Content
The token is saved to `~/.follow-github/.env` — never committed to git, never
sent anywhere except GitHub's own API."

Create the .env file:
```bash
mkdir -p ~/.follow-github
cat > ~/.follow-github/.env << 'ENVEOF'
Confidence
94% confidence
Finding
Create the .env file: ```bash mkdir -p ~/.follow-github cat > ~/.follow-github

Session Persistence

Medium
Category
Rogue Agent
Content
**If Email:** Ask for their email address, guide through Resend signup at
https://resend.com, then:

1. Create an account
2. Create an API key in the dashboard
3. Save the key to `.env` as `RESEND_API_KEY`
4. Save the destination email address as `delivery.email`
Confidence
90% confidence
Finding
Create an account 2. Create an API key in the dashboard 3. Save the key to `.env` as `RESEND_API_KEY` 4. Save the destination email address as `delivery.email` **If on-demand:** Set `delivery.method`

Session Persistence

Medium
Category
Rogue Agent
Content
across skill updates.

```bash
mkdir -p ~/.follow-github/prompts
cp ${CLAUDE_SKILL_DIR}/prompts/<filename>.md ~/.follow-github/prompts/<filename>.md
```
Confidence
69% confidence
Finding
mkdir -p ~/.follow-github/prompts cp ${CLAUDE_SKILL_DIR}/prompts/<filename>.md ~/.follow-github/prompts/<filename>.md ``` Then edit `~/.follow-github/prompts/<filename>.md`. - "Make summaries shorte

External Script Fetching

High
Category
Supply Chain
Content
7. Fetch the chat ID with:

```bash
curl -s "https://api.telegram.org/bot<TOKEN>/getUpdates" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d['result'][0]['message']['chat']['id'])" 2>/dev/null || echo "No messages found — send a message to your bot first"
```
Save chat ID as `delivery.chatId`.
Confidence
84% confidence
Finding
curl -s "https://api.telegram.org/bot<TOKEN>/getUpdates" | python

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
- "Show my settings" → Read and display config.json in a friendly format
- "Who am I following?" → Tell them to check https://github.com/<their username>?tab=following
  (we don't cache the following list — it's fetched fresh each digest)
- "Show my prompts" → Read and display prompt files

After any configuration change, confirm what you changed.
Confidence
78% confidence
Finding
display prompt

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/deliver.js:140