Back to skill

Security audit

Anki Card Creator

Security checks across malware telemetry and agentic risk

Overview

This is a simple local Anki TSV card generator, but its documentation overstates features and safety controls.

Install only if you want a basic local Anki TSV generator. Run it in a dedicated study folder, provide explicit input and output paths, expect the output file to be overwritten, and review generated medical cards for accuracy before importing them into Anki. Do not rely on the advertised PDF, image, cloze, auto-tagging, or .apkg features unless a future version includes reviewed code for them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The documentation simultaneously claims no external API calls while advertising auto-download of images, which implies undeclared network activity. Hidden or underdocumented network access is dangerous because it can leak user-provided study materials, metadata, or usage patterns to external services and defeats user expectations about offline/local processing.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The checklist promises output restriction to the workspace, but the documented CLI accepts arbitrary user-specified output paths with no stated enforcement. If the implementation follows the docs, a caller could overwrite files outside the intended directory, which can lead to data loss, tampering with other project files, or abuse in automated environments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Auto-downloading and embedding images introduces network and privacy risk, especially when users may assume study material is processed locally. External fetches can expose query terms, embedded identifiers, or source-derived metadata, and may also pull untrusted remote content into the workflow without notice.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.