Intent-Code Divergence
Medium
- Confidence
- 85% confidence
- Finding
- README 声称“所有数据存储在本地,不会上传到任何第三方服务”,但同一文档又描述通过 OpenClaw 对话触发 AI 自动执行分析与生成。这会造成明显的安全与隐私误导:用户可能基于错误认知输入仓库路径、团队成员邮箱、项目状态等敏感信息,而这些数据在实际产品架构下可能被平台或模型处理。
研发经理助手
Security checks across malware telemetry and agentic risk
Overview
This is a local R&D reporting helper, but it needs Review because it can read project data, overwrite chosen report files, and change a Git repository’s checked-out branch without clear confirmation.
Install only if you are comfortable letting the skill run local scripts against selected repositories and team configs. Confirm the target repository and output paths before execution, avoid running git-stats on a repo with uncommitted work, and treat generated reports as sensitive internal project documents.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)
Description-Behavior Mismatch
Medium
- Confidence
- 95% confidence
- Finding
- The script is described as a statistics tool for reading Git history, but it performs `git checkout $BRANCH`, which mutates repository state. In an automation or agent context, this can disrupt a user's working tree, detach them from their current branch context, trigger checkout hooks, or overwrite local expectations, making a supposedly read-only reporting action unexpectedly state-changing.
Intent-Code Divergence
Medium
- Confidence
- 94% confidence
- Finding
- The comments and functional framing imply the script only fetches statistics, but the implementation modifies the repository before collecting data. This mismatch is dangerous because users and higher-level agents may grant broader trust to a 'read-only' tool, leading to unintended side effects in active repositories or CI workspaces.
Vague Triggers
Medium
- Confidence
- 80% confidence
- Finding
- 文档中的触发短语如“生成晨会报告”“项目进度如何”“帮我审查这个 PR”过于自然、宽泛,容易与普通对话重叠,导致技能在非预期场景被激活。一旦误触发,可能自动读取仓库、配置或生成含敏感项目内容的报告,造成信息暴露或未经授权的操作。
Vague Triggers
Medium
- Confidence
- 89% confidence
- Finding
- The invocation examples use generic phrases like '生成晨会报告' and similar natural conversation triggers that can overlap with ordinary chat. In an agent setting, overly broad triggers can cause unintended tool execution against local repositories or configs when the user only meant to discuss a task, not authorize shell/file operations.
Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- The skill describes reading repository data and team/project configuration, including member names, emails, and repo paths, without explicit privacy warnings or consent language. Because these inputs may contain sensitive internal metadata, users may unknowingly expose project structure, personnel information, or code activity details to the agent and generated reports.
VirusTotal
64/64 vendors flagged this skill as clean.