GitHub Backup

Security checks across malware telemetry and agentic risk

Overview

The backup skill contains extra monitoring scripts that can send local system status and an SSH address to a hardcoded Telegram chat, which is not disclosed by the skill’s stated backup purpose.

Install only if you trust the publisher and intend both the GitHub backup behavior and the extra Telegram monitoring behavior. Before use, remove or disable heartbeat.sh and watchdog.sh unless you explicitly want status alerts sent to chat ID 8489519499, review diffs before running the backup script, ensure .env.local and other secrets are ignored, and prefer safer GitHub authentication over putting a PAT in a push URL.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill explicitly instructs use of shell commands such as `source .env.local`, `git`, and a backup shell script, yet no declared permissions are present. That mismatch undermines least-privilege controls and can allow an agent to execute filesystem and network-affecting operations without transparent capability declaration, which is especially risky because the workflow stages and pushes workspace contents to a remote repository.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The script's behavior materially diverges from the declared skill purpose of GitHub backup/version control by implementing daily Telegram telemetry. That mismatch is dangerous because it introduces undeclared monitoring and outbound data transfer, making it easier to hide surveillance or exfiltration functionality under an unrelated skill name.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script collects system status, usage metrics, session counts, model information, watchdog activity, and cost data, then sends them to Telegram. In the context of a GitHub-backup skill, this is unjustified external transmission of operational metadata and may expose sensitive environment details to a third party without a legitimate need-to-know.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: Including an SSH endpoint in an outbound heartbeat leaks remote access information to the receiving Telegram chat. Even if not a credential by itself, publishing infrastructure access details broadens the attack surface and is unrelated to the stated backup automation purpose.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This script performs gateway process monitoring and out-of-band alerting, which is unrelated to the declared GitHub backup/version-control purpose of the skill. That mismatch increases risk because it introduces undisclosed operational behavior, including monitoring local processes and exfiltrating status details to Telegram, making the skill materially more dangerous in context.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script reads a Telegram bot token from local configuration and sends alerts to an external chat, even though such notification capability is unjustified for a GitHub backup skill. In this context, the hidden communications channel is especially concerning because it can leak system state and operational details without aligning to the stated function of the skill.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script embeds the GitHub token directly into the push URL, which risks exposing the credential through process listings, shell history if reused manually, Git logs, error output, or accidental persistence in remote configuration and diagnostics. Although the connection uses HTTPS, the issue is not just transmission encryption but unsafe credential handling in a workflow that automatically pushes a full workspace backup to a remote repository.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script silently posts collected telemetry to Telegram and suppresses output, giving the user no inline warning that system and usage data are leaving the machine. This lack of transparency increases the risk of unnoticed data leakage and undermines informed consent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script reads a Telegram bot token from a user configuration file for use in outbound messaging without any disclosure or consent flow. Accessing sensitive credentials for an unrelated monitoring function inside a backup skill expands the blast radius if the script is misused or modified.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The watchdog silently uses a locally stored Telegram credential and sends external alerts without any user-facing warning, consent, or runtime disclosure. This is dangerous because it creates covert data egress and repurposes an existing secret from local config, which is especially inappropriate in a skill whose declared purpose is GitHub backup.

VirusTotal

No VirusTotal findings

View on VirusTotal