Code Sync

Security checks across malware telemetry and agentic risk

Overview

This is a clear Git batch-sync helper, but it can automatically push or pull many repositories under the configured code directory.

Install this only if you want an agent to batch-sync repositories in bulk. Keep the base directory narrow, review repo remotes first, avoid secrets in remote URLs, and ask for a scan/preview before invoking push mode if publishing commits without per-repo confirmation would be risky.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The workflow explicitly performs batch push/pull actions automatically with no confirmation, which can modify many repositories and remote state immediately. In a multi-repo context this raises the risk of unintended pushes, pulling into the wrong branch state, network-side disclosure of unpublished commits, or mass operational disruption from a mistaken trigger.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ## Workflow (shared by both modes) 1. **Scan** → 2. **Categorize** → 3. **Batch action** (auto, no confirmation) → 4. **Handle exceptions** (interactive) → 5. **Summary** If all repos are up-to-date, report that and stop.
Confidence: 95% confidence
Finding: no confirmation

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal