gsd-by-glittercowboy

Security checks across malware telemetry and agentic risk

Overview

This looks like a real project automation skill, but it needs Review because it can make persistent repository and environment changes and asks for secrets without consistently clear approval boundaries.

Install only if you want a powerful autonomous development workflow that can edit code, run shell commands, change git history, install tools, and store project/debug context. Use it in a disposable branch or sandboxed workspace, choose interactive settings, review diffs before pushing, avoid pasting secrets into chat, and require explicit approval for global installs, deployments, destructive commands, and commits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (67)

Intent-Code Divergence

Medium

Confidence: 85% confidence
Finding: The execution protocol example tells the user to run `npm run dev` during a `checkpoint:human-verify`, which directly contradicts the document's own rule that the agent must start servers before asking for verification. This inconsistency can cause unsafe delegation of executable commands to the user and weakens the safety boundary the skill is trying to establish.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The workflow performs `git add` and `git commit` as part of a codebase-mapping task, which exceeds the minimum privilege needed for documentation generation. This is dangerous because it makes persistent repository changes automatically, potentially committing inaccurate, sensitive, or attacker-influenced generated content without explicit user approval.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The workflow performs `git init` and later creates commits automatically as part of normal execution, which changes the user's workspace state beyond passive planning. In a skill intended for project setup, those side effects are security-relevant because they occur without explicit informed consent immediately before execution and can alter repository boundaries, history, hooks, and downstream automation behavior.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill enables Bash for a task that primarily consists of structured file validation and edits, which expands the attack surface beyond what is necessary. In this workflow, Bash is then used for grep, ls, rm, and git operations driven by user-supplied input, increasing the chance of unsafe command construction or unintended repository changes if arguments are malformed or assumptions break.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The workflow grants and uses Bash plus git operations for a task described as conversational UAT, which expands the skill from passive validation into repository-modifying execution. In an agent setting, this increases the chance of unintended shell execution, state changes, and commits without explicit user approval, especially because phase and path values are derived from workspace content and arguments.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The routing table includes very broad natural-language triggers such as "test", "context", "continue", and "capture" that are likely to overlap with ordinary conversation. In a user-invocable skill that can plan work, modify files, and orchestrate execution, this increases the chance of unintended activation or misrouting into workflows that perform stateful or code-changing actions without sufficiently explicit user intent.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The line "Or just tell me what you want and I'll guide you through GSD" advertises a catch-all activation path instead of constraining use to explicit commands. Because this skill supports project initialization, planning, execution, and persistent state operations, ambiguous activation can cause users to enter high-impact workflows unintentionally or without understanding that project files may be created or modified.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill description emphasizes automated research, planning, and execution but does not clearly warn that workflows may create `.planning/` artifacts, modify project files, or perform execution steps across a codebase. In context, this omission is more dangerous because the skill is designed as a full-project orchestrator with execution and verification capabilities, so users may invoke it without informed consent about side effects.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill is explicitly designed to write files directly into the repository via the Write tool, but the instructions do not include a user-facing warning that running it will modify the workspace. Because it explores broadly and writes derived documentation into a fixed path, users may trigger repository changes unintentionally or overwrite existing planning artifacts without informed consent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The document-writing step tells the agent to write directly to `.planning/codebase/` and emphasizes direct writes to reduce context transfer, but it does not require any safety check around existing files or notify the user about filesystem mutation. This creates a concrete risk of silent overwrite, unintended repository modifications, and downstream trust in generated documents that other commands will consume.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly directs the agent to create and continuously update persistent files under `.planning/debug` throughout the debugging workflow, including verbatim user input and investigation state. Because there is no requirement to notify the user, request consent, or offer an ephemeral mode, the agent may silently write potentially sensitive bug reports, error messages, reproduction steps, and derived evidence into the workspace, creating privacy, compliance, and repository hygiene risks.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly authorizes executing a plan by writing code, creating files, and producing commits, but the description does not clearly warn the user that invoking it can modify the repository state. In an agent setting, this can lead to unexpected persistent changes, especially because plan content is inlined from another component and may be treated as trusted work to carry out.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill includes direct shell/git execution steps, including staging and committing files, without an explicit safety interstitial or confirmation requirement. Because the agent is also allowed to use Bash, these instructions increase the chance of unintended repository mutation or execution of risky commands derived from plan content or surrounding workflow context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The deviation rules authorize the agent to autonomously fix bugs, add security/correctness changes, and resolve blockers, which materially expands the scope of repository and environment changes beyond the original plan. In context, this is more dangerous because the executor consumes plan content produced elsewhere and is instructed to act automatically, so unreviewed changes can cascade into broad code or environment modifications.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to write a file into the repository and then run `git add` and `git commit` automatically, with no requirement for user approval or even a warning that repository state will be changed. In an agent setting, autonomous persistence of changes is dangerous because it can create unwanted commits, interfere with in-progress work, and normalize silent modification of source control state.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly grants Write and Bash capabilities, and the instructions direct the agent to create and revise PLAN.md files and even invoke shell commands in revision mode. While these actions are aligned with the planner's intended function rather than obviously malicious, the skill provides no user-facing warning, approval boundary, or limitation on what filesystem locations and shell commands may be used, which increases the risk of unintended file modification or command execution in the project environment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to write files to the repository and create a git commit, but the skill itself contains no requirement to obtain fresh user confirmation before making those side effects. In an agent setting, this can lead to unauthorized workspace modification and persistence of potentially incorrect or prompt-influenced content, especially because the agent is driven by orchestrator-supplied prompts and external research sources.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to write multiple files and run `git add`/`git commit` automatically without any explicit user confirmation or safety gate. This creates an unauthorized side-effect risk: a prompt-triggered run can modify repository state and create persistent commits even when the user only intended planning assistance, and the content being committed may be influenced by untrusted project files.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guidance explicitly instructs the user to paste a raw API key into the conversation so the agent can apply it via CLI. That creates unnecessary secret exposure risk because the credential may be stored in chat logs, agent traces, prompt history, or downstream tooling, and there is no warning or safer collection mechanism. In this skill, the danger is elevated because the workflow is designed for autonomous execution and encourages routine secret handling by the agent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The file instructs the agent to auto-install global CLIs 'silently' when commands are missing, without obtaining user consent or warning that system packages and global tools will be modified. This can unexpectedly alter the host environment, introduce supply-chain risk, and violate least surprise, especially on developer machines. The autonomous nature of the skill makes this more dangerous because it normalizes unattended system modification.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document explicitly normalizes collecting secrets from the user and then using them via CLI, but it does not include safeguards about minimizing collection, masking/redaction, secure storage, or prohibiting persistence in logs, plans, and files. In an autonomous execution skill, this increases the risk that API keys or other credentials are requested in unsafe contexts and then exposed through shell history, terminal output, plan artifacts, or repository files.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The checkpoint example instructs users to run CLI commands without any warning, validation, or explicit statement that commands should be reviewed before execution. In an agent workflow, normalizing user execution of shell commands increases social-engineering risk and can lead to accidental execution of unsafe commands.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This guidance asks the user to paste an API key directly into chat but provides no privacy or handling warning. Secrets entered into chat may be logged, retained, exposed to plugins/tools, or mishandled by downstream systems, making this an unsafe secret-collection pattern.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The rule authorizes automatic fixes for any issue discovered during execution, including security vulnerabilities, without requiring user confirmation. In a high-autonomy project execution skill, this broad trigger can justify substantial unreviewed code changes and create scope expansion or unsafe modifications under the label of a 'bug fix.'

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The phrase 'missing essential features for correctness, security, or basic operation' is subjective and gives the agent discretion to add new functionality without approval. In this skill's full project planning and execution workflow, that ambiguity is especially dangerous because it can be used to justify broad implementation changes, security middleware additions, policy changes, or other unscoped work as 'critical.'

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal