Back to skill

Security audit

Git Commit Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple commit-message helper that processes user-provided git diffs, with no executable code or hidden persistence, but users should avoid sharing sensitive diffs.

Install only if you are comfortable using a skill to summarize code changes. Review and redact diffs before sharing them, especially for secrets, credentials, customer data, internal URLs, or proprietary code. Treat generated git commit commands as text to review, not something to run blindly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The usage section exposes broad natural-language triggers like 'write a commit message for my staged changes' without defining boundaries, exclusions, or required user confirmation before operating on repository diffs. In a skill that processes git diffs, vague invocation patterns increase the chance the agent will activate in unintended contexts and encourage users to paste sensitive source code or secrets without realizing the privacy implications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly asks users to paste `git diff --staged` output but provides no warning that diffs may contain proprietary code, credentials, tokens, internal URLs, or personal data. Because commit-generation necessarily involves transmitting or processing raw code changes, omission of a clear sensitivity warning creates a real data exposure risk, especially if users assume the tool is safe for any staged content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.