Nm Sanctum Commit Messages

Security checks across malware telemetry and agentic risk

Overview

This appears to be a conventional commit-message helper with minor workflow risks, not evidence of harmful behavior.

Install if you want help drafting conventional commit messages from repository changes. Be aware it may inspect git diffs and create `commit_msg.txt`; review the file before using it and consider narrowing triggers if you do not want it invoked for general git questions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list includes broad terms like 'git' and especially 'commit', which can cause the skill to activate for ordinary repository operations beyond the narrow task of drafting conventional commit messages. This increases the chance of unintended execution of the workflow, including running repository-inspection commands and writing files, in contexts where the user did not specifically request this skill.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The skill instructs writing to './commit_msg.txt' but does not require explicit user confirmation or warn that it will modify the working directory. While low severity, this can create unintended filesystem changes, pollute the repo, or interfere with workflows and automation if the user expected analysis-only behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal