Back to skill

Security audit

Search And Fork

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Gitee helper for finding repositories and forking one the user selects.

Install this only if you want the agent to use your configured Gitee MCP account for repository discovery and forking. Before any fork, confirm the exact source repository and destination account or organization, and prefer least-privileged Gitee credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description contains broad trigger phrases such as 'find me an open source project' and 'fork a repository', which can match many common user requests beyond the narrow intended workflow. This can cause the skill to activate in situations where repository search/forking is not appropriate, potentially leading to unintended external actions against the user's Gitee account.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.