Code Graph（代码图谱）

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed GitNexus setup skill, but users should review the environment-changing setup and git troubleshooting commands before running them.

Install this only if you want GitNexus added to your environment and your editor/MCP configuration updated. Review npm/npx commands before execution, and do not run the git add/commit troubleshooting example unless you have reviewed .gitignore and the files that would be committed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to run commands that can globally install software and modify editor/MCP configuration without requiring an explicit warning or confirmation from the user at the point of action. This is risky because these changes affect the user's broader environment beyond the current project, may alter trusted tooling behavior, and are not easily scoped or undone if triggered unintentionally.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The troubleshooting section suggests `git init && git add . && git commit -m "initial"` without a strong warning that this creates a repository and commits the entire current directory contents. That can accidentally capture secrets, large/generated files, or unrelated data and permanently change repository state, which is especially dangerous in an automated skill context.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal