Changelog Release Manager

Security checks across malware telemetry and agentic risk

Overview

This is a small changelog helper that only provides formatting guidance and does not install code, request credentials, or add persistence.

Install it as a lightweight changelog-formatting aid. Use it in the repository you intend to release from, and ask the agent to confirm before reading commit history from another project or sending repository details to any external service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger configuration is overly broad for a generic repository task: terms like changelog and release notes are common in normal development conversations and can cause the skill to activate when the user did not explicitly intend to invoke it. This can lead to unintended execution, context hijacking, or confusing agent behavior, especially in repositories where releases are discussed frequently.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal