Nm Attune War Room Checkpoint

Security checks across malware telemetry and agentic risk

Overview

The skill appears locally focused, but it may persist sensitive decision and review context to predictable local files without clear user control.

Review the skill instructions before installing. Use it only if local checkpoint/audit files are acceptable for your projects, avoid running it on repositories with sensitive business discussions unless you understand what gets written, and delete or disable those logs if you do not want persistent records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly instructs calling commands to log checkpoint and war-room data to predictable local paths containing decision context, files affected, rationale, voting summaries, and session metadata, but it provides no requirement to notify the user, obtain consent, minimize sensitive fields, or gate persistence by configuration. In an agent setting, this can silently persist sensitive repository, review, or organizational decision data on disk where other local users, backup systems, or later tools may access it, increasing privacy and data-retention risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal