Zeelin Report Publisher

Security checks across malware telemetry and agentic risk

Overview

This skill automates a disclosed GitHub pull-request workflow for publishing report files, but its optional setup can create persistent GitHub SSH access.

Install and run this only if you intend to publish reports through a GitHub PR for the target report-site repository. Run bootstrap only on a trusted machine and GitHub account, consider using the skip options if credentials are already configured, and remove the uploaded SSH key later if you do not want persistent GitHub SSH access. Review the generated branch and PR before merging.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares no explicit permissions while instructing use of file reads/writes, shell execution, network access, git operations, and GitHub interactions. This creates a transparency and consent problem: an agent or user may authorize the skill without understanding it can mutate repositories and communicate with external services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The advertised purpose is report publishing, but the workflow also includes security-sensitive bootstrap actions such as configuring global git identity, authenticating GitHub, generating/uploading SSH keys, cloning repos, and testing push access. That mismatch is dangerous because users may invoke a content-publishing skill without realizing it can alter system-wide developer settings and establish persistent credentials.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script’s stated purpose is report publishing, but it also performs global Git identity changes, GitHub CLI authentication, SSH key management, repository cloning, remote modification, and permission probing. This is dangerous because it expands the skill’s authority far beyond the minimum needed, increasing the chance of unintended account-wide changes and creating unnecessary access-management side effects on the operator’s machine and GitHub account.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script creates or reuses the user’s default SSH key, uploads it to GitHub through `gh`, and tests authentication to `git@github.com`. In the context of a report-publishing skill, managing account credentials and linking a local machine key to GitHub is unnecessarily powerful and can permanently broaden repository access beyond the immediate task.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill describes actions that modify repository contents, create branches, push to remotes, and perform GitHub bootstrap, but it does not present a prominent impact warning or explicit confirmation gate before these irreversible or externally visible operations. In agent settings, this can lead to unintended file changes, credential-related side effects, or publication to remote repositories with insufficient user awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal