Sovereign project-setup-wizard

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local project scaffolding tool that creates project files and may initialize Git, with no supported evidence of hidden execution or data theft.

Install this only if you want a local bash-based scaffolder that writes many files. Use --dry-run first, choose a simple project name and output directory, use --no-git-init if you do not want a repository created, and review any git name/email copied into generated files before publishing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrases are generic project-related terms such as 'scaffold', 'new project', and 'create project', which are likely to appear in ordinary user conversations. In an agent ecosystem, this can cause unintended invocation of the skill, leading it to run in contexts where the user did not explicitly intend project generation or shell/script execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal