Wip Repos

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real repo-management tool, but it needs review because it can make broad and partly under-documented changes across local repositories.

Install only if you trust this publisher with broad local repository write access. Use `wip-repos sync --dry-run` before live sync, review manifest paths for `..` or unexpected destinations, and avoid `wip-repos claude` or `wip-repos compliance --fix` unless you explicitly want bulk edits to CLAUDE.md and legal/package files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The CLI contains a hidden/undocumented `claude` command that is not disclosed in the advertised command set, creating an unexpected AI-agent execution surface. Undocumented capabilities are dangerous because users and reviewers cannot accurately assess what actions the tool may take, and AI-integrated commands often imply network access, prompt-driven behavior, or indirect execution paths that can be abused if invoked with repository content or user-controlled arguments.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: Importing and exposing `runClaude` introduces AI-agent capability into a tool whose stated purpose is local repo-manifest reconciliation, which materially broadens the trust boundary. In this context, the mismatch makes the feature more dangerous because operators may grant filesystem access expecting deterministic file-management behavior, while an agentic command can process untrusted repo content, make network requests, or perform unintended actions outside the manifest workflow.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill’s stated purpose is repo manifest reconciliation, but this section adds compliance auditing and remediation behavior across repositories. That scope expansion increases the tool’s authority and makes it capable of changing unrelated repository contents, which is risky in an agent setting because users may invoke it expecting only organizational changes.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: This code can create or modify legal/compliance files such as CLA.md, .license-guard.json, and .npmignore inside repositories, which is a materially different and higher-risk capability than reconciling folder layout. In an automated agent workflow, that can silently alter licensing, contribution terms, or packaging behavior across many repos, creating legal, operational, and supply-chain consequences.

Intent-Code Divergence

Medium

Confidence: 85% confidence
Finding: The docstring says matching is based on full remote URL, but the implementation extracts only an owner/repo fragment from git config. That mismatch can cause repositories from different hosts or URL schemes with the same owner/repo name to be treated as identical, leading to incorrect move plans and accidental reorganization of the wrong repositories.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly promotes a `sync` operation that moves repositories on disk to match a manifest, but the documentation does not clearly foreground that this changes the filesystem and may relocate many directories. In an agent-driven context, users or downstream automation may invoke `sync` assuming it is informational, leading to unintended repo moves, broken paths, or workflow disruption.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The CLI examples show `wip-repos sync` immediately after `wip-repos sync --dry-run`, but do not clearly label the former as the destructive variant. Example commands are often copied verbatim by users and agents, so presenting a state-changing command without a prominent warning increases the chance of accidental bulk filesystem modifications.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill includes direct write and move operations that can persist manifest changes and rename repository directories without any built-in confirmation, dry-run default, or user-facing warning. In an agent context, silent state-changing behavior is dangerous because a mistaken invocation, bad manifest, or incorrect plan can immediately alter many repositories on disk.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The MCP server exposes state-changing tools (`repos_add` and `repos_move`) that directly modify the manifest file, but their descriptions and responses do not clearly warn callers that these are write operations. In an agent-driven environment, insufficient signaling around destructive or persistent actions can lead to unintended file modification, especially if a model or orchestrator assumes the tools are informational rather than mutating.

Unpinned Dependencies

Low

Category: Supply Chain
Content: "directory": "tools/wip-repos" }, "dependencies": { "@modelcontextprotocol/sdk": "^1.0.0" } }
Confidence: 90% confidence
Finding: "@modelcontextprotocol/sdk": "^1.0.0"

Known Vulnerable Dependency: @modelcontextprotocol/sdk==1.0.0 — 2 advisory(ies): CVE-2026-0621 (Anthropic's MCP TypeScript SDK has a ReDoS vulnerability); CVE-2025-66414 (Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protec)

High

Category: Supply Chain
Confidence: 97% confidence
Finding: @modelcontextprotocol/sdk==1.0.0

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal