Nm Leyline Sem Integration

Security checks across malware telemetry and agentic risk

Overview

This markdown-only skill gives coherent guidance for using the sem semantic diff tool, with one optional installer command that users should review before running.

Before installing sem, prefer Homebrew or cargo install when available. If using the Linux curl command, verify the GitHub release source and integrity first, and understand that writing to /usr/local/bin modifies a system-wide executable path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The Linux installation path downloads an executable from the network and writes it directly to `/usr/local/bin/sem`, a system-wide location, without explicitly warning about system modification, trust implications, or likely privilege requirements. In an agent skill context, this is risky because it normalizes a copy-paste install flow that may prompt users to run elevated commands and install unverified binaries without clear consent or integrity verification.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal