Back to skill

Security audit

PR Automate Check

Security checks across malware telemetry and agentic risk

Overview

This PR automation skill is mostly coherent, but it uses your authenticated GitHub CLI and can act on the wrong repository because it only extracts the PR number from the supplied URL.

Review before installing. Use it only from the intended repository and GitHub account, and avoid cron/webhook automation until the script validates the full owner/repo/PR URL and passes an explicit repo to `gh`. Only provide Discord webhooks for channels allowed to receive PR links and health summaries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to execute shell commands (`bash`, `gh`, `curl`, `python3`) but does not declare permissions, which hides its operational capabilities from users and any permission-gating system. This increases the chance of unintended command execution, external network access, and handling of sensitive PR data without explicit consent or review.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase `auto review` is broad enough to match ordinary user requests that may not intend to invoke this specific skill. That can cause accidental execution of a pipeline that fetches PR data, runs shell scripts, and potentially sends notifications externally, making misrouting more consequential than a simple UX issue.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes Discord notification behavior but does not clearly warn that PR metadata and health summaries are transmitted to an external webhook. This can lead to unintentional data exfiltration of repository links, status details, and potentially sensitive operational information to third-party endpoints.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.