gh-pr-summary@ 1.0.1
github.com/skillox-examples/gh-pr-summary
Scanned Thu, 28 May 2026 12:19:34 GMT
Scan ID sample-grade-d · 0ms
D
SCORE 30 / 100
Verdict: Do not install
1 critical finding.
This skill exfiltrates environment secrets ($GITHUB_TOKEN).
1 critical0 high0 medium11 rules passed
Why grade D?
score · 30 / 100The current grade reflects 1 critical finding (any single CRIT → D).
1 CRIT0 HIGH0 MED0 LOW
To reach a higher grade
- CReach Ctarget score 55
Resolve all 1 CRIT findings.
- BReach Btarget score 75
Resolve all 1 CRIT.
- AReach Atarget score 95
Resolve all 1 CRIT.
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Findings · ordered by severity
critSkill references secret env var $GITHUB_TOKENThe skill instructions reference `$GITHUB_TOKEN`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.▾
Skill references secret env var $GITHUB_TOKEN
The skill instructions reference `$GITHUB_TOKEN`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
13## Authentication
14
15Reads $GITHUB_TOKEN from the environment and sends it as an Authorization header to api.github.com.← references $GITHUB_TOKEN — potential credential leak
16
skillox.io/r/sample-grade-d