Back to skill

Security audit

Commit Push

Security checks across malware telemetry and agentic risk

Overview

This skill transparently helps an agent commit and push repository changes, with review gates, but users should still verify what will be pushed before running it.

Install only if you want an agent to prepare commits and push to a configured git remote. Before using it, review `git status`, staged files, and the target remote/branch, and avoid pushing secrets, private files, or unrelated local changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This skill explicitly instructs the agent to run `git push` and to stage and commit all local changes, but it does not require an explicit user confirmation or warning that code and possibly sensitive data will be transmitted to a remote repository. In an agent context, that omission is dangerous because local changes may include secrets, private code, credentials, or unintended files, and the skill's framing normalizes exfiltration as a routine final step.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.