Security audit

sprint-release-notes

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its release-notes purpose, but it asks for broad GitHub authority and includes under-scoped publishing, contributor ranking, plaintext token handling, and conflicting repository-write guidance.

Install only after reviewing the workflow carefully. Use a fine-grained GitHub token limited to the exact repositories, avoid storing PATs in the YAML file, run dry-run first, remove or ignore the contributor-ranking and repo-file-commit paths if not needed, and require explicit approval before publishing releases or comments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (15)

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The skill expands from release-note generation into repository document inspection and contributor evaluation without reflecting that scope in the primary description. Hidden scope expansion is a security concern because it broadens data access and processing beyond user expectations, especially when PAT-backed repository reads are involved.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Contributor scoring and award-style ranking are unrelated to the core task and introduce unnecessary collection and inference about individual performance. This increases privacy and misuse risk, especially in workplace settings, because the skill turns engineering activity into personnel evaluation without clear necessity or consent.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: Contradictory documentation about whether notes are published to a designated repository or each source repository creates ambiguity around where write operations occur. Ambiguous write targets are dangerous because they can cause unauthorized publication to the wrong repository or a broader set of repositories than the user intended.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The configuration file includes a Discord webhook destination that is not described in the skill manifest, creating an undocumented outbound communication channel. In an automation skill that handles GitHub tokens and release publishing, hidden notification or exfiltration paths materially increase risk because users and reviewers may not realize data can be sent to Discord.

Intent-Code Divergence

Low

Confidence: 90% confidence
Finding: The comments state that credentials are stored for automated execution and mention Discord webhook usage despite the manifest only describing GitHub release-note publishing and optional issue comments. This mismatch undermines transparency about credential handling and destinations, which is dangerous in a skill that requests broad GitHub PAT scopes because reviewers may approve behavior they do not fully understand.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The skill metadata says release notes should be published as GitHub Release descriptions, but this reference file additionally documents committing files into repositories. That materially expands write capability beyond the declared behavior and can lead to unauthorized repository modifications, persistence of generated content in source control, and user surprise about where data is being written.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The documented ability to fetch repo contents, docs directories, and README files is outside the stated flow of generating release notes from project board items and publishing release descriptions. This broadens the skill's read access to unrelated repository content, increasing the chance of collecting sensitive internal documentation or overreaching beyond user expectations.

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The reference includes PR file-change inspection and review-analysis workflows that are not described in the skill manifest. These capabilities enable deeper behavioral and contribution analysis than needed for basic sprint release notes, which increases data collection scope and can expose contributor activity, code-change metadata, and documentation structure without clear disclosure.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill metadata says release notes are published as GitHub Release descriptions and not committed as files, but this code can commit markdown into a repository via the Contents API. That mismatch is dangerous because users may grant a PAT expecting only release-management actions, while the script also has the ability to write persistent content to repository history, broadening the blast radius of misuse or mistakes.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad enough that the skill may activate for generic requests about sprint summaries or release notes, even when the user did not intend repository publishing. Overbroad invocation is risky in a skill that consumes sensitive tokens and can perform external writes, because it raises the chance of unintended execution.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The description does not prominently warn that the skill can publish or update GitHub Releases across repositories. Missing disclosure is dangerous because users may treat it as a read-only summarization tool and provide a PAT without understanding that it enables state-changing operations.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The skill instructs ranking individual contributors without any opt-in, policy basis, or necessity for the stated release-notes task. In context, this is more dangerous because it repurposes repository activity data for employee-style evaluation, which can create privacy, fairness, and governance issues.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file documents a repository write operation but provides no user-facing warning, confirmation requirement, or safety guidance. In a skill that uses a PAT and targets production repositories, silent write behavior is dangerous because it may modify default branches or create lasting content without explicit user approval.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Accepting a GitHub PAT via a command-line argument is dangerous because command-line arguments are often exposed through shell history, process listings, CI logs, audit tools, and crash reports. In a skill designed to run with repository-write privileges, accidental token disclosure can lead to unauthorized access across all repos and org resources that token can reach.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script extracts a GitHub PAT from a config file and passes it as a command-line argument to a child process. Command-line arguments can be exposed to other local processes, shell history, debugging tools, CI logs, or crash reports, making accidental credential disclosure more likely. In this skill's context, the token grants GitHub access across repositories, so leakage could enable release tampering or broader repository compromise depending on token scope.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.