Security audit

Sigmaflow Deploy

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed deployment helper, but it embeds a reusable Git token and can automatically publish all staged local changes, so it needs review before use.

Install or run this only if you control the SigmaFlow repository and accept automated commits and pushes. Rotate the exposed token, remove credentials from the skill, switch to HTTPS or SSH with user-provided secrets, inspect the diff before staging, and avoid pushing directly to main without review or branch protections.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill documentation describes a deployment workflow but also discloses and normalizes dangerous behavior: use of an embedded Git credential, automatic committing, and staging all files. In an agentic context, that combination can lead to credential exposure and unintended exfiltration or publication of sensitive files, especially because `git add .` sweeps in everything in the repo directory.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The skill description is broad enough that an agent may invoke deployment for routine coding activity without a clear authorization checkpoint. In a deployment skill that can push to a remote Git server, ambiguous activation conditions increase the risk of unintended execution and unauthorized code publication.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The 'When to Run' section encourages use after nearly any feature, bug fix, or code change, but does not define boundaries such as approval gates, environment restrictions, or confirmation requirements. In this context, that makes accidental deployment and remote modification materially more likely.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: A live Git repository token is hard-coded directly in the skill documentation, which exposes a reusable secret to anyone with access to the skill file and may also cause the secret to propagate into logs, prompts, backups, or model context. Because the skill targets a write-capable deployment repo, compromise of this token could enable unauthorized code pushes, tampering, or persistence in the software supply chain.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The script hardcodes a Git repository access token and uses it directly in clone and push URLs over plain HTTP. This exposes a live credential to anyone who can read the file, shell history, process list, logs, or intercept network traffic, enabling unauthorized repository access and code tampering.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.