Back to skill

Security audit

gitea-routine-report

Security checks across malware telemetry and agentic risk

Overview

This is a real Gitea reporting skill, but it needs Review because it can gather broad repository activity and email HTML reports without a required confirmation step.

Install only if you intend to let this skill read Gitea repository activity and send reports by email. Use a read-only, least-privilege Gitea token, avoid the all-visible-repositories default unless intended, preview the report, and confirm recipients before sending. Ask the maintainer to add mandatory send confirmation, HTML escaping, safer temporary-file handling, cleanup, and pinned dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
76% confidence
Finding
The skill performs networked data access and email-related actions but does not declare permissions or clearly constrain those capabilities. Undeclared capabilities reduce transparency and policy enforcement, making it easier for the skill to access repository data and trigger outbound communications without appropriate review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill description understates its real behavior: it enumerates visible repositories, derives inactive-member information, retrieves owner email addresses, produces structured report data, and supports HTML email rendering. This mismatch can mislead users and reviewers about the scope of data collection and outbound sharing, increasing the risk of unintended privacy exposure and over-broad execution.

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The script collects more personal activity data than its stated purpose requires by enumerating all repository members, identifying inactive members, and retrieving their last commit dates. In a reporting workflow that emails administrators, this expands surveillance of contributor behavior and increases privacy and insider-risk exposure if reports are widely distributed or retained.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase is broad and maps by default to all visible repositories, so a casual request like '帮我生成进度报告' could unintentionally initiate organization-wide data collection and reporting. In this skill’s context, over-broad triggering is dangerous because the workflow can culminate in generating and sending emails based on multiple repositories without a narrowing confirmation step.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill is designed to send HTML emails to repository administrators by default, but it does not clearly warn the user that an external communication will be sent or who the recipient will be. This creates a high risk of unintended outbound disclosure because repository activity summaries, AI-generated assessments, and risk notes may be emailed without explicit user approval.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow processes and transmits personal and potentially sensitive information, including admin email addresses, member activity, inactive-day calculations, and commit-derived summaries, but provides no privacy warning or minimization guidance. In a repository reporting context, this can expose personnel patterns and development details to recipients without informed consent or necessity checks.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The renderer interpolates untrusted fields from repository data and AI-generated content directly into HTML without escaping, including commit messages, filenames, member names, summaries, and risk notes. An attacker who controls commit metadata or AI prompt inputs can inject arbitrary HTML into the email body, causing phishing content, malicious links, tracking beacons, or layout manipulation in mail clients that permit HTML rendering.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
main.js:51