Security audit

Gitrama — Git History Intelligence

Security checks across malware telemetry and agentic risk

Overview

Gitrama does what it claims, but it sends git repository context to Gitrama's servers, so users should only use it with repositories they are comfortable sharing.

Install only if you are comfortable sending git history, diffs, staged changes, branch names, contributor data, and file-tree context to api.gitrama.ai. Avoid using it on proprietary, regulated, or secret-containing repositories unless you have reviewed Gitrama's privacy and retention practices and accepted that data-sharing risk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The README makes a misleading safety claim: it says 'Nothing sensitive runs on your machine' immediately after explaining that local git context is gathered and sent to a remote API. Repository context, commit history, diffs, filenames, author metadata, and staged changes can themselves be sensitive, so this phrasing can cause users to underestimate data exposure and disclose proprietary information.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The examples use broad natural-language requests such as asking what changed in a repo or generating commit messages, but they do not define clear trigger boundaries, repository scope, or exclusions for sensitive contexts. In an agent environment, this can lead to overbroad activation and unintended analysis of whatever repository the user is currently in, increasing the chance that private code history is processed or exfiltrated without sufficiently explicit intent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README states that local git context is collected and sent via POST to api.gitrama.ai, but it does not provide a prominent warning that repository data leaves the machine for third-party processing. Because git history and staged diffs often contain secrets, internal code, incident details, or intellectual property, users may unknowingly transmit sensitive material to an external service.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger list includes broad phrases like 'what happened', 'repo summary', and 'who changed', which can match ordinary conversation and cause the skill to activate unexpectedly. In this skill's context, unexpected activation is more dangerous because activation can lead to local repo inspection and transmission of code history/context to a remote AI service.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill description emphasizes AI-powered Git analysis but does not prominently warn, up front, that repository context, commits, diffs, and other metadata are sent to `api.gitrama.ai`. Because repository history and staged diffs often contain proprietary code, secrets, internal URLs, or sensitive business context, insufficient disclosure can lead to unintentional exfiltration of confidential data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal