Skill Release Plus

Security checks across malware telemetry and agentic risk

Overview

This is a coherent publishing tool, but it needs review because it can publish publicly, create/push GitHub repositories, and run user-supplied hooks with broad local environment access.

Install only if you are comfortable with a tool that can publish skill contents to external services. Use --check and --dry-run first, keep tokens narrowly scoped, verify the resolved GitHub owner/repo before using github-release or --target all, and run user-hook targets only from scripts you fully trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The adapter's documented behavior includes pushing repository contents and auto-creating repositories, which is a broader and more destructive action set than a typical 'upload release asset' workflow. In a skill publisher context, this can cause unintended source publication, repository creation in the wrong owner/org, and silent modification of existing repositories if the user expects only a release artifact upload.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: This adapter intentionally executes an arbitrary local script chosen by the caller and grants it broad access by inheriting the current process environment. In a publishing tool, that can expose API tokens, cloud credentials, CI secrets, and other sensitive runtime state to any hook, expanding the adapter's power beyond merely uploading a package.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The README documents commands that perform real external side effects across multiple registries and explicitly supports custom subprocess-based user hooks, but it does not prominently warn users that running the examples can publish artifacts, consume credentials, and execute arbitrary local scripts. In a release/publishing skill, these behaviors are expected, but the lack of safety guidance increases the risk of accidental publication or unsafe hook usage, especially when users copy-paste commands.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The quick-start and custom hook flow encourage publishing packages to third-party services and executing a user-supplied hook script, yet they do not prominently warn that local package contents and metadata will be sent off-host and that the hook runs as a subprocess with access to release metadata and file paths. In a publishing skill this behavior is expected, but without an explicit warning and confirmation step users may unintentionally exfiltrate sensitive files or hand control to a risky hook target.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code extracts a tarball directly into the cloned repository using tar.extract and tar.extractall without validating member paths. If the tar archive contains path traversal entries, symlinks, or other malicious members, extraction can overwrite files outside the intended directory, alter git metadata, or plant unexpected content that is then committed and pushed to GitHub.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The hook execution sends package metadata, changelog text, and filesystem paths to an external executable without any consent checkpoint at the execution site. Because the hook can then transmit that information elsewhere, this creates a data-exposure boundary that users may not fully appreciate, especially in automated or CI contexts.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal