ClawHub

Nm Sanctum Git Workspace Review

Security checks across malware telemetry and agentic risk

Overview

This Git review skill is mostly coherent, but it is labeled read-only while instructing agents to change formatting and staging state.

Install only if you are comfortable with an agent using this skill to run formatters and adjust staged files during Git review. Treat it as a mutating pre-commit workflow, not a read-only verifier, and require explicit confirmation before formatting, staging, unstaging, or aborting merges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The skill claims to be read-only, yet it instructs running `make format`, which commonly rewrites files. In an agent setting, this can cause unintended working tree modifications, obscure the original diff under review, and violate user expectations about non-mutating inspection tasks.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill claims to be read-only, yet it instructs running `make format`, which commonly rewrites files. In an agent setting, this can cause unintended working tree modifications, obscure the original diff under review, and violate user expectations about non-mutating inspection tasks.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation repeatedly frames the skill as a read-only verifier, but later steps instruct mutations to both the Git index and working tree. This discrepancy increases the chance that an agent will perform state-changing operations under a low-risk label, undermining trust boundaries and safe tool-use policies.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The triggers `git`, `preflight`, `status`, `diff`, and `staged` are broad and likely to match many ordinary repository requests. In an agent ecosystem, overly generic triggers can cause the wrong skill to activate, unexpectedly injecting mutating workflow steps into unrelated Git interactions.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
90% confidence
Finding
Using `status` as a trigger risks colliding with built-in or expected `status` functionality. This can redirect normal status requests into this skill's broader workflow, increasing the chance of unintended repository actions beyond simple inspection.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
90% confidence
Finding
Using `diff` as a trigger similarly risks shadowing built-in diff behavior. A user asking for a plain diff could instead invoke this multi-step skill, which includes non-read-only guidance and therefore expands the action surface unexpectedly.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal