project-context-guide

Security checks across malware telemetry and agentic risk

Overview

This skill is a local codebase analysis helper, but it also profiles contributor activity and describes broad integrations and learning behavior without clear user controls.

Install only in repositories where you are authorized to inspect source and Git history. Treat reports as sensitive because they may include diffs, commit messages, contributor emails, maintainer names, collaboration relationships, and activity-time patterns. Avoid external Slack/JIRA/Confluence-style integrations unless your team has explicit consent and data-handling rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill advertises and documents capabilities that imply repository scanning, file access, script execution, and Git interrogation, but it does not declare permissions or boundaries for those operations. This creates a trust and containment problem: users and the platform cannot accurately assess what data the skill may access or what commands it may run, increasing the risk of unintended file modification, secret exposure, or shell abuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented behavior goes beyond code-context assistance into collection of contributor email addresses, inference of working-hour patterns, and direct subprocess-based repository interrogation without transparent permission disclosure. That mismatch is dangerous because users may invoke a seemingly harmless analysis skill without realizing it performs personnel profiling and broader system access than its stated purpose suggests.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The README documents fetching Slack conversation history via an external API, which goes beyond the skill's primary purpose of local codebase/context analysis. Even as an example, this normalizes transmitting potentially sensitive project metadata or discussion content to/from third-party services without clear scope controls, consent, or data-handling safeguards.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The skill proposes integrations with chat systems, document platforms, and task trackers that extend data access well beyond the repository context. Even if intended for convenience, this broadens the attack surface and can expose sensitive conversations, internal documents, and ticket metadata unrelated to the user's immediate request.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill derives contributor active-hour patterns from commit timestamps, which goes beyond code ownership analysis into employee behavioral profiling. In an agent skill context, this can expose work habits and personal scheduling patterns that may be sensitive and unnecessary for the core task, increasing privacy and insider-targeting risk.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation advertises command execution and, elsewhere in the README, external API usage without a clear warning that these actions may execute local commands or transmit data outside the repository. In a developer-assistance skill, this increases the risk of users invoking powerful capabilities without understanding privacy, integrity, or system-impact implications.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The activation conditions are broad enough to match many ordinary coding or review requests, which can cause the skill to run in situations where users did not intend repository-wide, history-based, or people-related analysis. Overbroad invocation increases the chance of unnecessary data collection and accidental exposure of metadata from code, Git history, or collaboration systems.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill states it will record user focus areas and learn team decision patterns, which implies persistent collection of user behavior and organizational metadata without a clear warning, consent flow, retention limit, or access control model. This creates privacy risk and the possibility of profiling users or teams beyond the immediate assistance task.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal