Contributor Guide Writer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a contributor-guide helper whose main risk is ordinary workspace file creation, not malicious behavior.

Install only if you want the agent to help create or update contribution documentation. Before running it, ask the agent to show the planned CONTRIBUTING.md changes or a diff, especially if the repository already has that file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README states that the skill will automatically generate a CONTRIBUTING.md file, but it does not clearly warn users that this creates or overwrites a file in the workspace. In an agent setting, implicit file modification can lead to unintended repository changes, especially if the user expected analysis or advice rather than a write action.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger description is broad enough to activate on general requests about local setup or project understanding, not just explicit requests to generate a CONTRIBUTING.md file. This can cause the skill to run in unintended contexts, leading to over-collection of repository context and responses that do not match user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal