Nm Attune Project Execution

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed project-execution workflow that tracks implementation progress locally and does not show hidden, destructive, or exfiltration behavior.

Before installing, understand that this skill may create or update a local .attune/execution-state.json file and guide the agent to run normal project validation commands such as tests and linting. Consider adding the .attune state file to .gitignore if you do not want progress metadata committed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill explicitly instructs saving execution state to `.attune/execution-state.json` without warning the user that local project state will be modified. Silent writes can surprise users, interfere with repositories, leak project metadata into tracked files, or create persistence artifacts in sensitive workspaces.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal