Security audit

Apple Viz

Security checks across malware telemetry and agentic risk

Overview

This is a coherent chart-to-PNG generator, but it should be used with ordinary caution because it renders user-provided data through browser tooling.

Install only if you are comfortable with a skill that runs local Python and browser screenshot tooling to create PNG files. Prefer using it on trusted or sanitized chart data, choose output paths deliberately, and consider pinning dependencies before use in a sensitive environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (7)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def screenshot_with_playwright(html_path: str, output: str, width: int, height: int) -> bool: try: result = subprocess.run( ["npx", "--yes", "playwright", "screenshot", "--browser", "chromium", "--viewport-size", f"{width},{height}",
Confidence: 92% confidence
Finding: result = subprocess.run( ["npx", "--yes", "playwright", "screenshot", "--browser", "chromium", "--viewport-size", f"{width},{height}", "--wai

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill documentation instructs the agent to run a local Python script and write a PNG to disk, which are code-execution and file-write capabilities, but it declares no permissions or trust boundaries. This mismatch is dangerous because it can cause the skill to be invoked with more operational power than users or the platform expect, reducing transparency and weakening policy enforcement around shell execution and filesystem access.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill depends on external Node/Playwright execution to produce screenshots, which means untrusted input is processed by a full browser stack outside the Python runtime. In this context, the danger is increased because the generated HTML directly interpolates user-controlled fields without escaping, so the subprocess is not just ancillary tooling but the execution environment for potentially attacker-supplied markup.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The description says to use the skill whenever a user asks to visualize, chart, plot, graph, or make a viz, which are broad phrases common in normal conversation. Overbroad routing can trigger shell-backed behavior unexpectedly, causing the agent to invoke external tooling and write files in situations where the user did not clearly request this specific skill or its side effects.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The 'When to use' section repeats ambiguous trigger terms without scope limits, increasing the chance that the agent auto-selects this skill for broad everyday requests. Because the skill leads to shell execution and filesystem writes, ambiguous invocation guidance expands the attack surface for unintended tool use and can be abused through prompt phrasing to steer the agent into higher-risk behavior.

Unvalidated Output Injection

High

Category: Output Handling
Content: def screenshot_with_playwright(html_path: str, output: str, width: int, height: int) -> bool: try: result = subprocess.run( ["npx", "--yes", "playwright", "screenshot", "--browser", "chromium", "--viewport-size", f"{width},{height}",
Confidence: 95% confidence
Finding: subprocess.run( ["npx", "--yes", "playwright", "screenshot", "--browser", "chromium", "--viewport-size", f"{width},{height}", "--wait-for-timeout", "

Unpinned Dependencies

Low

Category: Supply Chain
Content: pyppeteer
Confidence: 95% confidence
Finding: pyppeteer

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal