Designing TUIs

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only TUI design skill whose file-writing guidance is expected for its purpose, with minor scoping cautions but no evidence of malicious behavior.

Safe to install for TUI design workflows. Before using it, confirm the target framework and output path, and review any generated code or .tui file before running or overwriting existing project files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger language is intentionally expansive ('welcome screens, dashboards, wizards ... or terminal UI visuals even when the user does not say TUI'), which can cause the skill to activate for broadly UI-adjacent prompts rather than clear TUI requests. In an agent system, over-broad activation can route unrelated user input into file-generating or code-generating workflows, increasing the chance of unintended actions or confusing, unsafe tool use.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The workflow directs the agent to save a .tui file to a default path ('designs/<name>.tui') without first requiring explicit confirmation that a file should be created or modified at that location. While not directly exploitable on its own, this can lead to unintended workspace writes, surprising side effects, or overwriting user content when the skill is auto-invoked or the path assumption is wrong.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal