Back to skill

Security audit

AI Commit Message Generator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Git commit helper whose repository changes are expected for its stated purpose, with minor caution around staged diffs and amend commits.

Install only if you are comfortable with the agent reading staged diffs and creating commits when invoked. Use `--dry-run` for preview, review staged files for secrets first, and use `--amend` only when you intentionally want to modify the previous commit, especially on shared branches.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly supports `/commit --amend` and direct commit execution but does not clearly warn that amending rewrites repository history and can overwrite or obscure prior work. In an agent context, this is risky because users may invoke the skill expecting message generation only, while the documented workflow includes state-changing git operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.