Back to skill

Security audit

FastMode CMS - Host, Deploy, Manage Websites for Free

Security checks across malware telemetry and agentic risk

Overview

FastMode is a coherent website-building and deployment skill, but it can publish live sites, change CMS content, invite external users, and store FastMode login credentials locally.

Install this only if you want an agent to manage FastMode websites. Verify the npm package source, log in with the intended FastMode account, confirm the target project before changes, review schema/content edits before they affect an existing site, and approve deployments or client invite links explicitly before they go live or are shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly enables creation and deployment of publicly reachable websites, but the top-level description does not clearly warn the user that actions can publish or overwrite a live internet-accessible site. In an agent context, that omission increases the chance of unintended exposure, accidental defacement, or publishing sensitive/internal content without informed user consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The client invitation workflow allows granting external users portal access and produces invite URLs, but it lacks a clear privacy/security warning about sharing those links and the scope of permissions being delegated. That can lead an agent to invite third parties or expose privileged links without the user fully understanding the access being granted.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.