GitCode API Usage

Security checks across malware telemetry and agentic risk

Overview

This is a coherent GitCode API helper skill with expected token use and repository API capabilities, but users should handle tokens and write operations carefully.

Install only if you intend to automate GitCode through this SDK. Prefer a virtual environment, consider pinning the package version, use a least-privileged GitCode token, avoid passing tokens on the command line, and require explicit approval before create, update, delete, merge, transfer, webhook, OAuth, or permission-changing actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill's invocation guidance is overly broad and can match many generic coding, debugging, or CLI requests involving GitCode, increasing the chance the agent will select this skill in contexts where it is unnecessary or inappropriate. Over-selection can expose repository-scoped actions, token-handling guidance, or installation/setup steps in situations that do not truly require this capability, expanding the attack surface for prompt-injection or unsafe tool use.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal