Security audit

Snowsand Bitbucket

Security checks across malware telemetry and agentic risk

Overview

This Bitbucket skill is coherent and not deceptive, but it gives an agent real repository-changing power without clear built-in confirmation or least-privilege guardrails.

Install only if you want an agent to operate on real Bitbucket repositories. Use a dedicated least-privilege app password, prefer read-only scopes unless write actions are required, and require explicit human confirmation before merges, branch deletion, PR decline or approval, repository creation, comments, raw API POST calls, or pipeline runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill clearly relies on environment variables containing credentials and makes network calls to Bitbucket, but it does not declare permissions. Missing explicit permission declarations weakens reviewability and least-privilege controls, making it easier for a skill with credential and network access to be invoked without adequate scrutiny.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The script includes a `run-pipeline` command that actively triggers Bitbucket pipelines, which is a state-changing CI/CD operation. In an agent skill, this is more sensitive than passive pipeline status retrieval because it can execute repository-defined jobs that may deploy code, consume CI resources, or run with privileged project secrets; the risk is amplified because the skill description emphasizes pipeline status/check operations, not pipeline execution.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The description says the skill triggers on essentially any Bitbucket-related task, which is overly broad for a skill that can create repos, merge PRs, delete branches, and trigger pipelines. Broad invocation criteria increase the chance the agent uses this skill in situations where the user intended only read-only assistance, causing unintended state changes.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The quick reference advertises state-changing and destructive operations such as create-repo, merge, decline, delete-branch, and pipeline execution without warnings, confirmation requirements, or guardrails. In an agent context, documentation that normalizes these actions without caution makes accidental destructive changes significantly more likely.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The authentication section instructs users to provide a Bitbucket app password and username but gives no guidance on secure storage, non-disclosure, rotation, or minimum scopes. In an agent setting, requesting sensitive credentials without handling warnings increases the risk of oversharing, logging, or reuse of overprivileged secrets.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.