Sovereign Codebase Onboarding

Security checks across malware telemetry and agentic risk

Overview

This appears to be a codebase onboarding helper whose broad repository reading is expected for its purpose, with privacy precautions users should keep in mind.

Install only for repositories you are comfortable letting the agent inspect. Before running it on private code, exclude files such as .env files, secrets, credentials, keys, deployment configs, and proprietary material you do not want summarized or surfaced in generated onboarding artifacts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The README explicitly encourages repository-wide analysis and artifact generation but does not warn users that the skill may ingest, summarize, and surface sensitive source code, configuration, or architectural details. In a codebase-onboarding skill, this omission can lead to unintentional exposure of secrets, internal paths, or proprietary design information when used on private repositories.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal