Nm Egregore Summon

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed autonomous coding orchestrator, but it can persist, change repository state, run local commands, and merge work with limited user checkpoints.

Install only if you intentionally want a long-running autonomous development orchestrator. Review .egregore configuration first, keep auto_merge disabled unless you have branch protections and review gates, avoid durable cron scheduling unless you understand how to cancel it, and use it in repositories where automated branch, worktree, PR, and local script actions are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The intake module performs subprocess-style execution of a local Python script using values derived from parsed work item content. In an autonomous orchestrator that is instructed to never wait for human input, expanding intake from parsing into automatic command execution increases the attack surface and can enable unsafe side effects from untrusted issue or prompt content.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are broad enough to match ordinary user language such as 'pipeline', 'mission', or backlog-processing requests, which can cause the autonomous orchestrator to activate unintentionally. In this skill's context, accidental activation is more dangerous because the skill is designed to run persistently, modify local state, invoke other skills, and potentially execute external actions like GitHub commands.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill instructs autonomous modification of `.egregore/manifest.json` to change run mode without a clear user-facing warning or confirmation. That is dangerous because it alters local project state and can switch the system into indefinite autonomous operation, which materially changes behavior beyond a one-shot task.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill directs creation of a recurring cron task that can re-invoke the orchestrator and persist autonomous behavior for days, but it does not provide a strong user warning or explicit opt-in. This is dangerous because recurring scheduled execution can survive interruptions, repeatedly act on local state, and trigger further tool use without a fresh user request, increasing the risk of runaway automation and unintended changes.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The instruction to 'never pause and wait for human input' pushes the orchestrator to resolve ambiguity on its own and continue toward shipping changes without explicit confirmation. In an autonomous pipeline/orchestrator context, this can cause unintended code changes, scope expansion, or risky assumptions to be merged while only being documented after the fact, which weakens human oversight rather than preserving it.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill directs automatic git branch creation and checkout during parsing without any approval checkpoint. In an autonomous pipeline/orchestrator context, unreviewed repository state changes can be triggered from external work item sources, making this more dangerous than in a purely interactive developer tool because it can alter local state unexpectedly and chain into later automated actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents automatic execution of a local Python script during intake with no user warning, tied to parsed content classified as discoveries. Because the orchestrator is autonomous and explicitly proceeds without human input, this creates a dangerous path where untrusted external content can trigger local program execution and side effects, which is substantially riskier in this context than ordinary documentation-driven automation.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This documentation explicitly defines an automated `merge` step that can complete repository-impacting actions when `auto_merge: true` is enabled, but it does not include any warning, approval requirement, or safety constraints around that behavior. In an autonomous orchestrator skill, normalizing automatic merge behavior without prominent safeguards increases the risk that the agent will merge unreviewed or unsafe changes into the target branch.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This section describes concurrent worktree execution and branch merging as standard orchestrator behavior, including automatic merge primitives, but omits warnings that these operations create branches, modify working trees, and merge code back into the repository. In the context of an autonomous pipeline/orchestrator skill, that omission is dangerous because it can mask the operational and security impact of running the skill at scale across multiple items.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal