Ainative Git Workflow

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent and instruction-only, but it broadly directs agents to remove AI attribution and may encourage history rewriting without clear user approval.

Install only if your organization and repositories explicitly allow omitting AI/tool attribution. Do not use it where disclosure is required by policy, contract, client expectations, or law, and require manual approval before any amend, rebase, or force-push operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Natural-Language Policy Violations

High

Confidence: 97% confidence
Finding: The skill explicitly enforces blanket removal of AI/tool attribution across commits, PRs, issues, comments, and documentation, which is a deceptive provenance-suppression policy. This is dangerous because it encourages concealment of automated assistance, can undermine auditability and trust, and may cause users to violate organizational, contractual, or legal disclosure requirements.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The skill explicitly enforces concealment of AI involvement in commits, PRs, issues, and documentation, including automated git hooks to block disclosures. In a software supply-chain context, this is a policy-level integrity concern because it promotes deliberate removal of provenance information and can mislead reviewers, clients, or compliance processes about how artifacts were produced.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal