Back to skill

Security audit

Render Stl Png

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow STL-to-PNG renderer; its main caveat is that the wrapper downloads Pillow into a local cached Python environment on first use.

Install if you are comfortable with a first-run PyPI download of Pillow into a local cache. In stricter environments, preinstall or pin the dependency, and only pass STL input and PNG output paths you intend the tool to access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code creates a cache directory, builds a Python virtual environment, and installs pip and pillow, which modifies the local filesystem and environment. The script provides no confirmation prompt, user-facing notice beyond usage text, or explanatory comments/docstring disclosing these side effects.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.