tag-release

Security checks across malware telemetry and agentic risk

Overview

This skill automates real GitHub tag and release changes but includes hardcoded credentials and unrelated enterprise automation settings, so it needs careful review before installation.

Do not install this version as-is. Treat the bundled GitHub, Feishu, and Jenkins secrets as exposed: rotate them, remove them from the package, and require users to provide least-privilege credentials through a secret manager or environment variables. Only use the skill after confirming the target repositories and whether GitHub Release creation is desired.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill clearly enables shell execution, file reads, and network access to perform real Git and GitHub operations, but it does not declare explicit permissions or capability boundaries. This weakens governance and review because consumers of the skill cannot reliably see that it can modify remote repositories and call external APIs before invocation.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill description frames the behavior as tagging releases, but the documented behavior also creates GitHub Releases, queries GitHub state, backfills missing releases, and fetches merged PR metadata for inclusion in tag/release content. This broader behavior increases the write scope and data-access scope beyond what a user may reasonably expect, creating risk of unintended repository changes, metadata disclosure, and overbroad token use.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The configuration embeds deployment notification, Feishu integration, wiki settings, and Jenkins CI/CD automation in a skill whose declared purpose is only to create and push release tags. This excessive capability materially widens the attack surface and violates least privilege: if the skill or its config is accessed, an attacker could trigger downstream automation, send internal notifications, or pivot into other enterprise systems unrelated to tagging.

Context-Inappropriate Capability

High

Confidence: 100% confidence
Finding: The file contains live-looking enterprise messaging and wiki credentials, including webhook URLs, app identifiers, and an app secret, despite these being unrelated to the stated tag-release function. Hardcoded secrets are directly exploitable if exposed, enabling unauthorized access to Feishu bots or APIs, internal messaging abuse, data access, and impersonation within the organization's collaboration environment.

Context-Inappropriate Capability

High

Confidence: 100% confidence
Finding: The configuration includes Jenkins URL, username, job templates, and an API token even though Jenkins automation is outside the declared tag-only scope. Exposed CI/CD credentials can allow unauthorized job execution, parameter manipulation, code deployment, or broader compromise of build infrastructure, making the context especially dangerous because tagging often interacts with release pipelines.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill description says it creates and pushes release tags, but the code also creates GitHub Release objects. That expands the write scope beyond the declared purpose, which is dangerous because users or operators may authorize the skill under a narrower trust assumption than the code actually requires.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The code includes POST access to /releases and GET access to release lookups, giving it release-management capability not clearly justified by the stated tagging-only use case. Excess write capability violates least privilege and increases the blast radius if the skill is misused or invoked with overly broad credentials.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module documentation claims only branch/PR/tag operations are allowed, but the implementation additionally queries and creates GitHub Releases. This mismatch is security-relevant because reviewers may rely on the stated restrictions when deciding whether to trust or grant tokens to the skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal