Back to skill

Security audit

Ui Ux Pro Max

Security checks across malware telemetry and agentic risk

Overview

This is an opinionated UI/UX guidance skill with disclosed setup and project design-file behavior, not hidden or destructive behavior.

Install this if you want a UI/UX design workflow, but do not let an agent blindly run brew, winget, or sudo apt commands. Approve any system package installation yourself, and verify any local search.py script before using it because that helper is referenced but not included in the reviewed artifact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The workflow instructs the agent to apply this skill whenever a user requests broad UI/UX tasks such as design, build, implement, review, fix, or improve. Those trigger terms are common across many unrelated coding requests, so the skill may activate in situations where its prescriptive workflow and command guidance are not appropriate, causing scope hijacking or unintended tool usage. In context, the skill also directs mandatory execution of local search commands, which makes over-broad invocation more operationally risky.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The manifest description advertises a very large action surface with generic verbs covering planning, building, creating, implementing, reviewing, fixing, optimizing, and checking UI/UX code across many project types. This creates a broad invocation cue that can match normal development requests far beyond specialized design assistance, increasing the chance that the skill is selected when another, narrower skill or direct handling would be safer. Because the skill includes shell command guidance and persistence behavior, accidental activation can influence agent behavior and file writes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.