Back to skill

Security audit

Git Security Scanner & Repo Health Auditor

Security checks across malware telemetry and agentic risk

Overview

GitGuard appears to be a disclosed, read-only repository auditing tool; the main caution is ordinary dependency hygiene, not hidden or malicious behavior.

Install this only for repositories you intend to audit, because it will read source files and git metadata in the paths you provide. Use a GitHub token only if you want higher-rate read-only GitHub triage, and consider pinning or constraining requests in your environment before installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises operational capabilities that include environment access, file reads, network access, and shell usage, but it does not declare permissions or constraints for those behaviors. That creates a trust and review gap: an agent or user may invoke a tool that can inspect local repositories, read tokens from the environment, and execute git or other shell commands without an explicit capability declaration or minimization boundary.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
Confidence
96% confidence
Finding
requests>=2.28.0

Known Vulnerable Dependency: requests==2.28.0 — 8 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +5 more

High
Category
Supply Chain
Confidence
89% confidence
Finding
requests==2.28.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.