html-easy-deploy

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed helper for publishing and managing single-file HTML pages on htmlcode.fun, with sensitive version actions documented and bounded by user-directed workflows.

Install this only if you want an agent to publish public HTML pages to htmlcode.fun. Review content before deployment, avoid secrets or private data, and explicitly confirm overwrite, unpublish, delete, set-current, and any `--output` path that could replace a local file.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill metadata describes a simple one-way HTML deployment helper, but the implementation also supports mutating existing deployments through append, overwrite, status changes, deletion, and switching the current public version. This capability mismatch is dangerous because an agent or user may grant or invoke the skill expecting low-risk publishing, while it can actually alter or remove previously deployed content and public versions.

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The skill description suggests uploading HTML to obtain a live URL, but the code also retrieves deployed content and can write it to a local file. This undisclosed readback behavior expands the trust boundary and could expose or exfiltrate remote content into the local environment when users or agents believe the skill only performs outbound deployment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal