Nm Attune Project Init

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed project-scaffolding workflow that creates local project files and git setup with user confirmation for overwrites.

Install only if you want an agent to scaffold or update local project configuration. Review generated files before accepting overwrites, and be aware it may read git user name/email to prefill project metadata.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The manifest-style trigger list is split across three entries: 'starting a new Python', 'Rust', and 'or TypeScript project from scratch'. As written, 'Rust' by itself is overly broad and the combined activation condition is unclear, which could cause unintended invocation or inconsistent matching.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal