Back to skill

Security audit

commit

Security checks across malware telemetry and agentic risk

Overview

This skill clearly does what it advertises, but it can commit every local repository change and push it remotely without a built-in review step.

Install only if you are comfortable letting an agent stage all current changes, create a commit, and push the current branch. Before using it, check the branch, remote, untracked files, generated files, secrets, and whether the push could trigger CI/CD or expose private work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to stage all changes, create a commit, and push the current branch to origin automatically, which modifies repository state and publishes code remotely without an explicit confirmation or safety gate. This is dangerous because it can unintentionally include sensitive files, incomplete work, or maliciously introduced changes, and pushing amplifies the impact by distributing them to a shared remote repository.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.