Github Ops

Security checks across malware telemetry and agentic risk

Overview

This skill is a GitHub automation helper, but it asks an agent to use stored credentials for public, account-changing actions without clear approval gates.

Install only if you intentionally want an agent to make GitHub account changes on your behalf. Use a dedicated least-privilege token, require explicit confirmation before creating repos, pushing code, creating releases, or triggering deployments, and avoid embedding tokens in git remotes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill is declared as GitHub operations, but its documented flow expands into Vercel deployment and returning deployment URLs, which increases capability beyond the stated scope. This kind of scope drift is dangerous because it enables additional remote actions and integrations that users and policy layers may not expect or authorize.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The skill explicitly reads a GitHub token from a local secrets file, giving the skill direct access to a privileged credential independent of per-request user consent. In a fully automated skill that performs remote writes, this materially raises the risk of unauthorized repository creation, code publication, release creation, and abuse of the account tied to the token.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The skill claims users do not need to provide a token, while the documented setup and tests clearly depend on loading and using GITHUB_TOKEN. This mismatch obscures credential use from users and reviewers, making it easier for sensitive operations to occur without informed understanding of what secrets are being accessed.

Vague Triggers

High

Confidence: 95% confidence
Finding: Describing the skill as fully automatic GitHub operations without constraints creates an overly broad activation and execution scope for sensitive write actions. In practice, this can cause the agent to create repositories, push code, or publish releases from loosely matched requests without sufficient authorization checks.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The examples show common natural-language requests directly triggering repository creation, code push, and release publication with no visible safeguards. This is dangerous because ambiguous user prompts could be interpreted as approval for irreversible remote actions affecting source control and public artifacts.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill advertises autonomous repository creation, code push, release publication, and deployment behavior without warning users about the risks of remote writes and public exposure. Missing warnings are especially dangerous here because the actions are externally visible, potentially irreversible, and can leak proprietary code or create supply-chain risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill describes accessing a stored GitHub token and using it for outbound authenticated requests without a user-facing warning. Because the token grants account capabilities, silent credential use materially increases the chance of unauthorized or surprising actions on behalf of the user or service account.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal