Security audit

Git Workflow Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple git workflow guide with no install script or executable payload; the only minor concern is an unnecessary curl requirement.

Before installing, note that the skill mainly provides local git command suggestions and includes promotional links. The extra curl requirement is unnecessary for the documented behavior; avoid following any future network-related suggestions from this skill unless they are clearly explained and user-directed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Low

Confidence: 93% confidence
Finding: The skill declares `curl` as a required binary even though the documented functionality is limited to local git inspection and cleanup commands. This creates unnecessary network-capable surface area and is especially concerning because the same file prominently advertises external services and links, making later remote-fetch behavior easier to justify or add without user scrutiny.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.