Back to skill

Security audit

UI Polish Pass

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only UI polish checklist that is broadly worded but does not add code execution, data access, persistence, or hidden behavior.

Install this if you want Codex to apply a final UI polish checklist during visual or frontend work. Be aware that its activation language is broad, so it may influence styling decisions unless you give a more specific instruction, but it does not run commands, access accounts, or persist anything.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill declares itself as a core pack that is "always active" and should run "on all visual work" as a final step, which gives it unusually broad activation scope. Even though the content is not overtly malicious, broad auto-application can override user intent, consume resources, and systematically push UI changes into contexts where polish should not apply, increasing the chance of unwanted or unsafe modifications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.