Ci Cd Helper

Security checks across malware telemetry and agentic risk

Overview

This is a simple CI/CD advice skill with no executable code, credentials, persistence, or hidden behavior.

Safe to install from a security perspective. Treat any generated workflows or deployment scripts as drafts: review permissions, secret handling, production targets, rollback behavior, and test in staging before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill is activated by very broad example phrases like designing a pipeline, writing a GitHub Actions workflow, or generating deployment scripts, which closely match ordinary CI/CD requests. Without clear activation boundaries, the agent may invoke this skill in contexts involving sensitive repositories, production deployment, or privileged automation, increasing the chance of unsafe or over-scoped assistance.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill offers to generate automatic deployment scripts without warning that such output can affect live systems, infrastructure, or data. In a CI/CD context, even small mistakes in deployment automation can cause service outages, data loss, or unintended exposure of secrets, so the lack of a safety warning materially increases operational risk.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal