Back to skill

Security audit

CI Tools Pipeline

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for GitLab CI/CD work, but it normalizes skipping CI on a remote push without clear safeguards.

Review this skill before installing if your repositories require branch-push pipelines or protected CI controls. Use it only where skipping the initial push pipeline is an accepted workflow and an MR pipeline is immediately run and required before merge.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly recommends pushing with `-o ci.skip` before running an MR pipeline, which bypasses normal branch-push validation and can allow unvalidated or policy-violating changes to enter the remote repository. In a CI/CD skill, this is especially dangerous because it normalizes evading mandatory automation checks in a sensitive deployment path and may be misused to hide broken or risky pipeline changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.