Git Workflow

Security checks across malware telemetry and agentic risk

Overview

This git workflow skill is mostly coherent, but it tells the agent to push commits to a remote repository automatically without asking first.

Install only if you are comfortable with commit operations also publishing to the configured remote by default. Before using it, consider overriding the auto-push rule so the agent must show the branch, remote, staged files, and active GitHub account before any push, tag, PR, or release.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The instruction to always push immediately after every commit removes an important confirmation point before code leaves the local repository. In a git workflow skill, this is more dangerous because users are likely delegating real repository operations, so automatic push can leak incomplete, sensitive, or policy-violating changes to a shared remote without checking branch state, remote divergence, or target correctness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal