Security audit

Skill Audit

Security checks across malware telemetry and agentic risk

Overview

This is a repository-audit tool whose file reading, GitHub checks, and optional GitHub token use fit its stated security-review purpose, though users should notice the default network precheck.

Install only if you are comfortable with the tool reading the target repository and contacting GitHub during evaluation. If the repository or its origin is sensitive, run without GITHUB_TOKEN or in an environment where outbound GitHub access is controlled, because the precheck is automatic when a GitHub origin is present.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises runtime requirements and command flows that imply shell execution, file read/write, environment access, and optional network use, but it does not declare permissions accordingly. This creates a transparency and policy-enforcement gap: users or platforms may treat the skill as lower risk than it is, leading to unintended access to local repositories, temp files, environment variables, and outbound connectivity during audits.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill claims to perform a deterministic static local audit, but the documented behavior includes GitHub-origin discovery, OSINT prechecks, and outbound API access that can influence results. This mismatch is dangerous because users may run it in sensitive or offline environments expecting a purely local scan, while the skill can disclose repository metadata externally and make trust decisions based on mutable remote signals rather than reproducible local evidence.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: This code performs live GitHub API requests and issue-search heuristics even though the skill is described as a deterministic static pre-install audit. That expands the trust boundary, leaks repository metadata to external services, and makes results nondeterministic and dependent on network state and third-party content.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The function reads `GITHUB_TOKEN` from the environment and automatically attaches it to outbound GitHub API requests. In a skill advertised as a static safety audit, implicit credential use is dangerous because it can consume a sensitive token without explicit user awareness and broadens the consequences of network activity.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: These helper functions make outbound requests to GitHub but this file contains no user-facing disclosure or consent mechanism. The risk is primarily transparency and privacy: users may expect a local static audit, yet the skill contacts external infrastructure and transmits repository-identifying information.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The code accesses `GITHUB_TOKEN` silently and uses it for outbound authentication, but this behavior is not disclosed in the file’s visible interface. While not exfiltration by itself, undisclosed credential consumption is a security and trust concern in an auditing tool.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal