Sen Dev Patterns

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a development-pattern reference library, but it bundles publishing scripts that can obtain Git credentials, rewrite git remotes, and push code to external repositories.

Review before installing, and do not run publish_skill.py or publish_gitee.py unless you intentionally want to publish this repository. If you use the skill only for local development patterns, remove or ignore the publishing scripts. If publishing is needed, use least-privilege tokens, avoid token-in-URL git remotes, and rotate any token that may already have been embedded in git config.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (20)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 3. Git credential try: result = subprocess.run( ['git', 'credential', 'fill'], input='protocol=https\nhost=github.com\n\n', capture_output=True, text=True, encoding='utf-8',
Confidence: 95% confidence
Finding: result = subprocess.run( ['git', 'credential', 'fill'], input='protocol=https\nhost=github.com\n\n', capture_output=True, text=True, encoding='utf-8',

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 添加远程（更新如果存在） result = subprocess.run(['git', 'remote', 'get-url', 'origin'], capture_output=True, text=True) if result.returncode == 0: subprocess.run(['git', 'remote', 'set-url', 'origin', remote_url], check=True) print(f"[*] Updated origin URL") else: subprocess.run(['git', 'remote', 'add', 'origin', remote_url], check=True)
Confidence: 96% confidence
Finding: subprocess.run(['git', 'remote', 'set-url', 'origin', remote_url], check=True)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: subprocess.run(['git', 'remote', 'set-url', 'origin', remote_url], check=True) print(f"[*] Updated origin URL") else: subprocess.run(['git', 'remote', 'add', 'origin', remote_url], check=True) print(f"[*] Added origin URL") # 推送
Confidence: 95% confidence
Finding: subprocess.run(['git', 'remote', 'add', 'origin', remote_url], check=True)

Tainted flow: 'token' from os.getenv (line 30, credential/environment) → requests.get (network output)

Critical

Category: Data Flow
Content: return # 检查仓库是否存在 resp = requests.get(f'{GITEE_API}/repos/the13ai/{REPO_NAME}', params={'access_token': token}) if resp.status_code == 200: print(f"[*] Gitee仓库已存在: {REPO_NAME}") else:
Confidence: 98% confidence
Finding: resp = requests.get(f'{GITEE_API}/repos/the13ai/{REPO_NAME}', params={'access_token': token})

Tainted flow: 'data' from os.getenv (line 54, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: 'has_issues': True, 'has_wiki': True } resp = requests.post(f'{GITEE_API}/user/repos', data=data) if resp.status_code == 201: print(f"[+] Gitee仓库创建成功: {REPO_NAME}") else:
Confidence: 98% confidence
Finding: resp = requests.post(f'{GITEE_API}/user/repos', data=data)

Tainted flow: 'remote_url' from os.getenv (line 75, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: result = subprocess.run(['git', 'remote', 'get-url', 'gitee'], capture_output=True, text=True) if result.returncode == 0: subprocess.run(['git', 'remote', 'set-url', 'gitee', remote_url], check=True) else: subprocess.run(['git', 'remote', 'add', 'gitee', remote_url], check=True)
Confidence: 97% confidence
Finding: subprocess.run(['git', 'remote', 'set-url', 'gitee', remote_url], check=True)

Tainted flow: 'remote_url' from os.getenv (line 75, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: if result.returncode == 0: subprocess.run(['git', 'remote', 'set-url', 'gitee', remote_url], check=True) else: subprocess.run(['git', 'remote', 'add', 'gitee', remote_url], check=True) result = subprocess.run(['git', 'push', '-u', 'gitee', 'master'], capture_output=True, text=True) if result.returncode == 0:
Confidence: 97% confidence
Finding: subprocess.run(['git', 'remote', 'add', 'gitee', remote_url], check=True)

Tainted flow: 'data' from os.getenv (line 169, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: 'auto_init': False } resp = requests.post(f'{GITEE_API}/user/repos', data=data) if resp.status_code == 201 or 'already exists' in resp.text.lower(): print(f"[+] Gitee repo ready: gitee.com/sinadook/{repo_name}") return True
Confidence: 97% confidence
Finding: resp = requests.post(f'{GITEE_API}/user/repos', data=data)

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: This skill is described as a personal development-patterns/standards aid, but the file performs remote repository creation and code publication to Gitee. That is a materially different and more powerful capability that can exfiltrate local content to a third-party service, making the mismatch especially risky in an agent-skill context.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The script combines environment-sourced credentials, networked API calls, remote reconfiguration, and git push behavior that exceed the stated purpose of reusing patterns and standards. In a skill ecosystem, undeclared outbound publishing capability increases the risk of unexpected data transfer and abuse if the skill is invoked in broader workflows.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The script's behavior—discovering credentials, creating remote repositories, changing git remotes, and pushing code—does not match the stated skill purpose of reusing personal development patterns. This mismatch is a strong indicator of deceptive packaging and makes the code substantially more dangerous because users would not reasonably expect account and publishing operations from this skill.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script actively searches multiple local sources for GitHub credentials, including environment variables, VS Code storage, and git credential helpers, without a compelling need tied to the advertised skill. This is classic secret-harvesting behavior and can enable unauthorized access to the user's GitHub account and repositories.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This block performs external repository creation and publication to GitHub/Gitee, far beyond the described scope of a development-patterns skill. When combined with harvested credentials, it creates a serious risk of unauthorized code exfiltration and persistent changes to the user's remote repositories.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The document states the validation rule as “当 M > 0 时，M/L = K”, but the implemented code validates K as sum_target_l / count_z_ge1, i.e. effectively L/M = K. This inconsistency can cause downstream users or agents to implement the wrong formula, producing incorrect business metrics and faulty validation decisions in reports or automation.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The document explicitly states that a GitHub token exists in the remote URL, which indicates credential embedding in Git configuration or related tooling. Even though the token value is not shown here, documenting its presence normalizes an unsafe practice and suggests the environment may retain secrets in places that can be exposed via logs, config files, screenshots, shell history, or repository metadata; in an automation/publishing skill, that increases the chance of accidental disclosure and unauthorized repository access.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide explicitly instructs users to generate a Gitee Access Token and set it in an environment variable, but it provides no warning that the token is a sensitive secret or guidance on secure handling, scope minimization, storage, or rotation. In a publishing guide for an agent skill, this can normalize unsafe secret practices and increase the chance of accidental disclosure through shell history, screenshots, logs, or over-privileged tokens.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script can create a remote repository, alter git remotes, and push code without any interactive warning or confirmation immediately before making the changes. In an automation or agent setting, that raises the chance of unintended publication of source code or metadata to an external service.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The code embeds a sensitive access token into a git remote URL without warning the user that the credential may be stored in .git/config or exposed by git tooling. This weak secret-handling practice can lead to credential disclosure and unauthorized repository access if the local repo metadata is shared or inspected.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script accesses sensitive GitHub credentials from several local sources without a prominent warning, informed consent, or opportunity for the user to approve the action. This violates safe prompting and transparency expectations and is especially dangerous given the unrelated skill description.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The script embeds the GitHub token into the remote URL and then updates git remotes and pushes code without an explicit safety warning or confirmation. This can both expose the token locally and cause immediate outbound publication of repository contents, making it a high-risk action that users may not anticipate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal