Back to skill

Security audit

Who Is Actor

Security checks across malware telemetry and agentic risk

Overview

The skill is a read-only Git repository analysis helper with clear privacy limits, though some non-runtime documentation should be read carefully for stale wording.

Install only if you are comfortable granting the agent read-only access to the target repository's Git history. Use dry-run first, run it only on repositories you are authorized to analyze, and do not use the output for performance reviews, rankings, compensation, hiring, firing, or other personnel decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation makes inconsistent claims about whether contributor names appear in outputs: earlier sections state that reports produce no contributor display names at all, while later text says names may appear as Git attribution labels. This ambiguity can lead an agent or integrator to expose personal identity data contrary to the skill's stated privacy model, especially in a repository-analysis context where contributor metadata is sensitive and explicitly constrained.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill repeatedly promises that only aggregated metrics leave the host, but the documented bus-factor/report flow explicitly allows raw file paths to cross downstream boundaries. File paths can reveal customer names, internal architecture, secret-bearing filenames, or sensitive project structure, so this is a real data-minimization and privacy-contract violation.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The repository-wide 'Visible-Activity Index' creates a normalized score and banding system that can be easily repurposed for employee surveillance or personnel evaluation, despite the surrounding disclaimers. Scoring mechanisms are especially prone to misuse because they compress nuanced signals into a seemingly objective number that downstream users may treat as evaluative.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The skill asserts that only whitelist-represented git invocations are allowed, but later documents numerous specific command forms and flags not explicitly captured in that whitelist. This creates policy ambiguity that can lead implementers to execute commands outside the intended safety contract, weakening command-control and increasing risk of over-collection or unsafe expansion.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.