GitHub Hosts CN

Security checks across malware telemetry and agentic risk

Overview

This skill openly changes the system hosts file for GitHub access, but its advertised restore flow appears broken, which is a serious rollback concern for a privileged networking change.

Install only if you explicitly want a China-oriented GitHub hosts-file workaround and are comfortable granting sudo/admin access. Use preview first and verify the proposed entries. Do not rely solely on the built-in restore command until the restore-path bug is fixed; keep a separate manual backup of your hosts file before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The restore path validation is inconsistent with how restoreBackup() actually works: it copies the selected backup into CONFIG.tempDir and then passes that temp path into copyFromBackup(), but copyFromBackup() only allows paths under CONFIG.backupDir. As a result, restore operations fail by design, which can leave users unable to recover after a bad hosts update. In a tool that modifies /etc/hosts with elevated privileges, broken rollback materially increases operational risk.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill description is broad enough that an agent may invoke it whenever a user mentions GitHub access problems, even though the skill modifies /etc/hosts and may require elevated privileges. In this context, ambiguous activation is more dangerous than usual because the action changes system networking behavior and could be triggered without sufficiently explicit user intent to alter host resolution.

Natural-Language Policy Violations

Low

Confidence: 72% confidence
Finding: The skill is framed as '中国用户专用' without making the targeting an explicit user choice, which can cause an agent to steer users into a region-specific network workaround they did not request. While not inherently malicious, this is a real policy and safety issue because hosts-file modifications are invasive and region-tailored behavior may be inappropriately suggested to users outside the intended environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal