Pr Triage

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-aligned for PR triage, but it can use the locally logged-in GitHub CLI account and optionally mutate PRs, which deserves review before installation.

Review before installing. Use it first in report-only mode, confirm gh auth status is the intended GitHub account, and avoid action mode unless you are comfortable with the exact comments and labels it will apply.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill invokes shell commands and can write output files, but it declares no permissions or safety constraints. In an agent environment, this can lead to execution or file modification capabilities being exposed without explicit user/admin approval, increasing the chance of unintended repo access or local file writes.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The skill instructs the agent to unset GH_TOKEN and GITHUB_TOKEN before every gh command, which undermines normal authenticated GitHub CLI operation. In practice this can cause commands to fail, fall back to other credentials/config, or operate against the wrong identity/context, creating reliability and access-control confusion during PR triage and optional PR edits/comments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal