R Package Development — From Zero to CRAN & Bioconductor

Security checks across malware telemetry and agentic risk

Overview

The skill appears legitimate, but it includes ready-to-run Git history rewrite and force-push commands without enough safety guidance.

Install only if you are comfortable treating the Git history-rewrite section as expert-only guidance. Before running any force-push or filter-branch command, verify the target branch and remote, make a backup branch or tag, coordinate with collaborators, and prefer safer guarded commands such as force-with-lease where appropriate.

SkillSpector

By NVIDIA

Vulnerability Patterns

Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document includes `git filter-branch` followed by `git push --force origin main`, which rewrites repository history and can permanently discard commits or disrupt collaborators if copied blindly. In an agent skill context, presenting destructive commands without an explicit warning, safer alternatives, or confirmation steps increases the chance of accidental data loss and repository corruption.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: export GIT_COMMITTER_NAME="RealName" export GIT_COMMITTER_EMAIL="real@email.com" ' HEAD git push --force origin main ```
Confidence: 95% confidence
Finding: git push --force

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal