Back to skill

Security audit

Projitive

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed project-governance workflow that may create and update repo governance files, but the behavior is coherent with its purpose.

Install this only in repositories where you want Projitive to manage `.projitive` governance files. Review changes before committing them, avoid putting secrets in task or report files, and separately evaluate or pin the external `@projitive/mcp` package instead of relying blindly on `@latest`.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill directs the agent to run `projectInit(...)` immediately when `.projitive/` is missing or incomplete, without requiring user confirmation or clearly warning that this action can create or modify repository files. In an agent setting, this enables unreviewed filesystem changes and repository-wide governance scaffolding to be introduced automatically, which is risky especially when the target project was not intended to be altered.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The fallback path instructs the agent to execute a task, write evidence files, and update `tasks.md` directly, again without any user consent or warning about modifying project files. Because this fallback is triggered specifically when MCP is unavailable, it bypasses the stated safety guard of using MCP-mediated writes and can lead to silent, broad repository mutations under degraded conditions.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.