3d-wordcloud-visualizer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent 3D word-cloud visualization skill, with the main caution that its generated HTML loads third-party CDN scripts.

Install if you want an agent to create a local HTML 3D word-cloud viewer. For private conversation exports or sensitive documents, review the generated HTML first or prefer vendored/offline JavaScript dependencies so the page does not fetch third-party CDN code when opened.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Low

Confidence: 93% confidence
Finding: The skill claims there are no external API calls and that processing is completely local, but it relies on third-party CDN-hosted JavaScript libraries that must be fetched over the network on first use. This is a security-relevant misrepresentation because users may expose metadata or execute unpinned third-party code they did not expect, even if the uploaded file contents are processed locally in the browser.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill does not clearly warn users that the generated HTML will load third-party JavaScript from CDNs. This omission matters because opening the file executes remote code in the browser context, creating supply-chain and privacy risks that contradict the user's likely expectation of a fully local visualization tool.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal