Security audit

github-mcp

Security checks across malware telemetry and agentic risk

Overview

This GitHub integration is purpose-aligned but needs review because it can use a GitHub token for real repository changes and recommends a remote authenticated endpoint without enough safety guidance.

Install only if you intend to give an agent GitHub API access. Prefer a fine-grained, least-privilege token limited to the needed repositories, use the local server for sensitive repositories unless you trust the remote MCP endpoint, and require explicit confirmation before file edits, public comments, branch deletion, workflow dispatch, repository creation, or other write actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The manifest description uses very broad activation criteria such as nearly any GitHub-related request, which can cause the skill to trigger in situations where the user did not intend to use an external GitHub-integrated capability. Because the skill supports remote API access and repository operations, overbroad triggering increases the chance of unnecessary tool invocation and unintended data exposure or side-effecting actions.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation recommends configuring a remote HTTP MCP endpoint with an Authorization bearer token but does not prominently warn that the GitHub token will be transmitted to an external service. This is dangerous because users may assume local handling while actually disclosing sensitive credentials to a remote endpoint, expanding trust boundaries and increasing the risk of token misuse or compromise.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This reference documents numerous state-changing GitHub operations such as creating or updating files, creating issues and PRs, deleting branches, triggering workflows, forking repositories, and marking notifications as done, but provides no warning that these commands modify remote state. In an agent skill context, that omission is dangerous because users or downstream agents may treat the reference as informational and invoke destructive or irreversible actions against live repositories without clear confirmation or least-privilege safeguards.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The document instructs users to supply a GITHUB_TOKEN but does not warn about token scope minimization, secure storage, or avoiding accidental disclosure in logs, configs, or command history. In an MCP/agent environment, credentials are especially sensitive because tools may run automatically, propagate headers, or emit debug output that can expose tokens to unintended parties.

External Transmission

Medium

Category: Data Exfiltration
Content: ### Remote Server (HTTP) — Recommended ```bash mcporter config add github --type http --url "https://api.githubcopilot.com/mcp/" --header "Authorization=Bearer ${GITHUB_TOKEN}" ``` ### Local Stdio Server
Confidence: 96% confidence
Finding: https://api.githubcopilot.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.