Back to skill

Security audit

Dashboard Design For Trials

Security checks across malware telemetry and agentic risk

Overview

The skill appears to generate an HTML output file as part of its stated purpose, with a small disclosure and path-safety gap but no evidence of hidden or malicious behavior.

Before installing, confirm where the skill writes HTML reports and prefer a dedicated output folder. Avoid pointing `--output` at existing project files unless you intend to replace them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares executable Python behavior that writes an output HTML file, but it does not declare any explicit permissions despite having file-write capability. This creates a trust and containment gap: users or orchestration systems may treat the skill as lower risk than it is, and the unrestricted `--output` parameter could enable overwriting arbitrary workspace files if not constrained by implementation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.