Back to skill

Security audit

Web Deploy GitHub Pages

Security checks across malware telemetry and agentic risk

Overview

This skill does publish websites through GitHub Pages, but that behavior is coherent with its stated purpose and is disclosed in the artifacts.

Install only if you want an agent to create a GitHub repository, push site files, and make a GitHub Pages site live. Review generated content for secrets, personal data, and proprietary material before deployment, and use a GitHub account or token with only the permissions needed for the target repository.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to create a GitHub repository, configure Pages, push code, and make a site live, but it does not explicitly warn that this publishes content publicly on the internet. In an autonomous agent setting, that omission can cause unintended public disclosure of draft, personal, or sensitive content because the deployment step changes data exposure, not just local project state.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The troubleshooting guidance tells users to rely on authenticated GitHub CLI access and repository permissions, but it does not disclose that the deployment workflow will act using the user's GitHub authentication context and associated privileges. That can mislead users about the scope of account actions the skill may trigger, especially in autonomous execution environments.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
### 4. Deployment

GitHub Actions automatically deploys on push to main branch. The workflow:
- Checks out code
- Deploys to `gh-pages` branch
- Makes site live at `https://<username>.github.io/<project-name>/`
Confidence
78% confidence
Finding
automatically deploy

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.