Recoup Sandbox Setup

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned for creating a Recoup sandbox, but it can automatically publish broad workspace changes to a Git remote.

Install only if you are comfortable with the agent committing and pushing changes. Prefer running it in a fresh repository, inspect git status first, and require manual approval before any commit or push.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to run `git add -A && git commit ... && git push origin main` automatically, which can publish all current workspace changes to the remote repository without any explicit confirmation step. In this context, the skill is initializing a sandbox and may be run in a freshly created repo, which reduces severity somewhat, but it still creates a meaningful risk of unintended data disclosure, committing unrelated files, or overwriting expected workflow controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal