Git Backup

Security checks across malware telemetry and agentic risk

Overview

This skill is a real GitHub backup workflow, but it handles credentials unsafely and can silently upload broad workspace data.

Install only after narrowing the backup scope, disabling silent scheduled pushes by default, and replacing PAT-in-chat/plaintext-token/remote-URL handling with a secure credential helper or secret manager. Use a dedicated private repository, a fine-grained least-privilege token, visible backup logs, and explicit review before pushing new files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill directs the agent to harvest GitHub credentials from multiple unrelated local sources, including git remotes, shell startup files, and plaintext credential files. That is broader than necessary for a backup workflow and creates a credential-discovery pattern that can expose secrets the owner did not explicitly authorize the agent to inspect or reuse.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The skill claims the generated .gitignore excludes secrets, but the actual ignore rules do not cover the token storage locations referenced elsewhere in the skill. This mismatch can cause credentials or other sensitive files to be committed and pushed to GitHub despite the documentation implying they are protected.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The guidance says to exclude credentials, but the actual token is saved under ~/.credentials while the .gitignore only mentions credentials/ relative to the repo. That discrepancy creates a false sense of safety and increases the chance sensitive data will be tracked, copied into the workspace, or otherwise mishandled during backup.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill tells the agent to ask the owner to send a GitHub PAT directly in chat without warning that the credential is highly sensitive. Requesting secrets through normal conversation increases the chance of interception, logging, accidental retention, or reuse beyond the user's intent.

Ssd 3

High

Confidence: 99% confidence
Finding: The workflow explicitly solicits a GitHub PAT from the owner, stores it in plaintext, and embeds it into the git remote URL. This exposes credentials through chat, local files, process history, config, and command output surfaces, creating multiple opportunities for compromise.

Ssd 3

High

Confidence: 97% confidence
Finding: The skill directs routine upload of broad workspace contents—including memory, notes, skills, data, and config—to an external GitHub repository, even on a schedule. In this context, the workspace likely contains sensitive operational data, personal notes, configuration, and possibly secrets, so automatic exfiltration to a third-party service is highly dangerous.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal