Nm Attune Makefile Generation

Security checks across malware telemetry and agentic risk

Overview

This Makefile-generation skill appears purpose-aligned, but it needs Review because it may write or overwrite a project Makefile without clearly scoped user control.

Install only if you are comfortable with the assistant creating or replacing a Makefile in the working directory. Before using it, check whether your project already has a Makefile, ask for a preview or alternate output path, and require confirmation before any overwrite.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes broad terms such as automation, build-tools, and development-workflow that are common in normal engineering conversations. This can cause the skill to activate outside the user's explicit intent and lead to unsolicited generation or overwriting of a Makefile, which is especially risky because the skill is designed to write project files.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill describes generating a Makefile but does not clearly warn that it writes a Makefile to the current project and may overwrite an existing file. In context, the workflow explicitly renders output to Path("Makefile"), so a user or agent could unintentionally replace project build automation and introduce disruption or loss of custom targets.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal