Back to skill

Security audit

Creating Explainers

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent helper for creating interactive HTML explainers, with no hidden execution, credential use, persistence, or exfiltration behavior found.

Install this if you want agents to produce polished, interactive single-file HTML explainers. Review outputs before sharing them, especially source citations and claims, and be aware that pages generated from the provided template load fonts from Google unless the template is changed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger language is broad enough to capture generic requests like 'explain X visually' or 'make an explainer', which can cause the agent to invoke this skill outside its intended niche. That can lead to inappropriate tool/skill selection, unnecessary web research, or generation of self-contained HTML when the user wanted a simpler or different artifact.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The skill explicitly permits external requests to Google Fonts but does not clearly warn the user that opening the generated page may contact a third party. This creates a minor privacy and policy risk because document viewing can leak metadata such as IP address, user agent, and access timing to an external service.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.