Back to skill

Security audit

Deploy Public

Security checks across malware telemetry and agentic risk

Overview

This is a real public deployment tool, but it also uses local secrets to publish npm packages and deletes public branches in ways that are not clearly disclosed.

Install only if you intentionally want this skill to publish private repository contents to a public GitHub repo, merge PRs, edit releases, delete public branches, and potentially publish npm packages using local 1Password-backed credentials. Review the target repo and exclusions carefully, run secret scanning before use, and prefer narrowly scoped GitHub and npm tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented behavior says this skill syncs a private repository to a public mirror while excluding only `ai/`, but the static finding indicates additional high-risk actions: creating public repositories, retrieving secrets, and publishing packages to npm. That is a dangerous capability expansion because operators may invoke the skill expecting a repo sync while it can also expose code publicly and use sensitive credentials to perform irreversible external publication actions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is described as a private-to-public repo sync tool, but it also clones the public repo again, retrieves an npm token from local secret storage, and publishes packages to npm. This materially expands the blast radius from source synchronization to package registry release with credential use, creating a dangerous hidden side effect if the operator expects only a GitHub sync.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script accesses a 1Password-stored npm token even though the stated purpose is repo synchronization. Pulling credentials for an undeclared capability is dangerous because users may grant or run the skill under the assumption it only manipulates repositories, while it actually escalates into registry publishing with sensitive secrets.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README advertises that the tool creates a PR, merges it, syncs releases, and cleans up deploy branches, but it does not prominently warn that these actions modify a public repository and may be destructive or irreversible. In an agent-driven or automated context, this can cause users to invoke the skill without understanding that it will perform write operations against production repositories, increasing the risk of unintended publication or branch/release changes.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This skill is explicitly designed to copy repository contents from private to public and automatically merge the resulting PR, but the description does not present that as a prominent safety warning. In this context, omission is risky because users may underestimate the chance of unintentionally publishing sensitive files, proprietary code, or incomplete changes, and the automatic merge reduces the opportunity for human review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script reads a sensitive npm credential from local secret storage and proceeds toward publishing without any explicit upfront user confirmation. In an agent/automation context, this increases the chance of unintended secret use and unapproved package publication, especially because the skill's primary stated function is repo sync, not credentialed release operations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.