Shadows Smart Commit

Security checks across malware telemetry and agentic risk

Overview

This is a local Git commit helper with disclosed repository reads and local commit actions, but users should review its broad triggers and fixed co-author trailer before use.

Install only if you want an assistant to inspect Git diffs and help make local commits. Review the exact files staged, the generated commit message, and the Co-Authored-By trailer before allowing a commit, and treat any push as a separate explicit action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrases include very broad terms like "commit" and especially "push", which commonly appear in normal developer conversation and can cause the skill to activate in unintended contexts. Because this skill performs git staging/commit workflows, accidental invocation could lead to unintended repository modifications or pressure the agent toward high-impact actions without clear user intent.

Natural-Language Policy Violations

Medium

Confidence: 97% confidence
Finding: The skill instructs the agent to always include a fixed `Co-Authored-By: Claude <noreply@anthropic.com>` trailer in commit messages without user request or consent. This can falsify authorship metadata, pollute repository history, and create trust, attribution, and compliance issues in environments where commit provenance matters.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal