GitHub Skills Assistant

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real GitHub integration, but it needs review because it can make authenticated changes to GitHub, including an under-documented pull-request action, without built-in confirmation.

Install only if you intend to let the assistant use a GitHub token that can create issues, repositories, and pull requests. Prefer a narrowly scoped token, consider public_repo instead of full repo when possible, and confirm GitHub write actions yourself before allowing the agent to run them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill documentation declares access to GitHub credentials and clearly implies outbound GitHub API use, yet there is no explicit permissions declaration governing environment-variable access or network operations. This creates a transparency and policy-enforcement gap: users may authorize or install the skill without understanding it can read secrets and make authenticated remote requests.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 80% confidence
Finding: The documented purpose understates the full behavior detected by analysis, including repository creation, pull request creation, and owner/repo-specific access. Description-behavior mismatches are dangerous because they can hide write-capable or broader-than-expected actions behind a seemingly limited integration, increasing the chance of unauthorized or surprising changes to GitHub resources.

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The README advertises `Create Repos`, which is a state-changing capability not reflected in the stated skill metadata scope. This kind of scope mismatch can mislead operators and reviewers about what the skill is allowed to do, increasing the risk of unintended repository creation or approval of overly broad permissions.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The declared API surface includes state-changing capabilities to create repositories and pull requests, but the manifest description only advertises querying, issue creation, and repository search/activity features. This mismatch can cause users, reviewers, or policy systems to underestimate the skill's write capabilities, increasing the risk of unauthorized or unexpected destructive actions through hidden functionality.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The top-level skill description says only 'Query and manage GitHub repositories', which is vague and does not clearly disclose that the skill can create repositories, issues, and pull requests. In an agent setting, understated write capabilities can mislead users or orchestration layers into invoking a tool with higher-impact side effects than expected.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README presents issue creation and repository creation as routine commands without prominently warning that these actions modify remote GitHub state. In an agent context, unclear disclosure of write actions can cause users to invoke destructive or unintended changes under the mistaken belief that the skill is read-only or low-risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This function performs an authenticated POST to create a GitHub issue immediately from supplied arguments, with no confirmation gate, allowlist, or approval workflow. In an agent setting, prompt injection or accidental invocation could cause unintended writes to repositories the token can access.

Missing User Warnings

High

Confidence: 95% confidence
Finding: This function creates a new repository through an authenticated API call without any interactive confirmation or policy checks. In an autonomous or tool-using agent context, that can lead to unauthorized asset creation, namespace clutter, accidental exposure settings, or abuse of the linked GitHub account.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This code can open pull requests on behalf of the authenticated user with attacker-controlled title/body/head/base parameters and no confirmation step. In an agent environment, that creates risk of unauthorized workflow changes, spam PRs, or social-engineering content being submitted to real repositories.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This file exposes state-changing GitHub actions such as create_issue, create_repo, and create_pull_request without any visible confirmation, warning, or friction mechanism. In a conversational agent context, that increases the risk of accidental or prompt-induced writes to GitHub resources, especially when users may assume all available actions are informational.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal