Style Transfer（风格迁移）

Security checks across malware telemetry and agentic risk

Overview

This looks like a normal development helper skill that may edit project files and run local build commands, with no evidence of hidden or malicious behavior.

Install this only for projects where you are comfortable letting the agent change local source files and run normal development commands. Review diffs before committing, and be cautious with unknown repositories because build/dev scripts may execute arbitrary project code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs editing application source files and creating new style assets, but it does not require explicit confirmation or warn the user that local project files will be modified. In an agentic environment, this can lead to unintended changes, overwrite existing styling, or create merge/build issues when the user expected analysis only.

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The skill directs the agent to run build or dev commands inside the user's project without warning that local commands will be executed. Even common commands like npm run build or npm run dev can trigger arbitrary scripts from package.json, consume resources, or execute untrusted project code.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal