Caveman Commit

Security checks across malware telemetry and agentic risk

Overview

This appears to be a commit-message helper whose main risk is that broad activation wording could make it read staged changes sooner than intended.

Install if you want automatic commit-message help, but review staged changes first and avoid invoking it in repositories with secrets or private work you do not want summarized in the agent context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill declares an auto-trigger tied to broad user phrases and staging activity, which can cause the skill to activate when the user did not explicitly intend to invoke it. While this skill only generates commit text and does not itself run git commands, unintended invocation can still disrupt workflow, produce misleading commit messages, or cause sensitive staged changes to be summarized without deliberate user review.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal