Back to skill

Security audit

Figure Legend Gen

Security checks across malware telemetry and agentic risk

Overview

This skill is a local template-based figure legend generator, with minor documentation ambiguity but no evidence of hidden network use or unsafe behavior.

Safe to install for ordinary local use. Provide only the figure paths and output paths you intend to use, and avoid confidential unpublished figures until the publisher clarifies the misleading Network/API language; the reviewed code itself appears local-only.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises write-capable behavior via the optional `--output` parameter, but no explicit permissions are declared. In an agent environment, undocumented file-write capability weakens policy enforcement and can enable unintended modification of workspace files or overwrite user data if the runtime trusts metadata for authorization.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger text is broad enough that the skill may auto-activate on many research-image or chart-related requests without clearly bounded user intent. In agent systems, ambiguous routing can cause unnecessary file access, processing of sensitive research figures, or unintended network/API use when the user did not explicitly consent to those actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill acknowledges external API calls and file-write behavior, but does not clearly warn users when figure data may be transmitted off-box or when files may be created or modified. Because scientific figures can contain unpublished or sensitive research data, the combination of network access and file output increases the risk of confidentiality loss and unintended file-system side effects.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.