Scratch Refactoring For Code Understanding

Security checks across malware telemetry and agentic risk

Overview

This is a coherent developer workflow skill for temporary code refactoring, with the main risk being that users must be careful when discarding scratch git changes.

Install this only for deliberate code-comprehension sessions in a git repository. Before using it, confirm the working tree is clean or that important work is safely committed or backed up, and review any branch deletion, checkout, or stash pop command before allowing an agent to run it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill includes destructive git commands (`git checkout -- .`, branch deletion, and `git stash pop`) that can alter or discard local work. Although the document discusses using a clean working tree or stash, it does not place an immediate, explicit warning adjacent to the destructive commands about data loss and conflict risks, so an agent or user following the steps mechanically could lose uncommitted changes or reintroduce conflicts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal