Git提交助手

Security checks across malware telemetry and agentic risk

Overview

This appears to be a Git commit helper, but it may broadly activate and stage every repository change before committing, which users should review carefully.

Install only if you are comfortable with a helper that may stage all repository changes before committing. Before use, inspect git status and the exact staged diff, avoid repositories with secrets or unrelated local work, and prefer staged-only commits or explicit file selection.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The activation keywords are extremely broad (e.g. 'git', '提交', 'commit'), making accidental invocation plausible during ordinary conversation. In the context of a skill that can stage all files and create commits, unintended activation increases the chance of repository-modifying actions without clear user intent.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill does not clearly warn that its commit path performs 'git add -A' before committing, which stages all tracked and untracked changes in the repository. In a developer environment, that can unintentionally commit secrets, local config, generated artifacts, or unrelated work, causing integrity and confidentiality impact.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal