Visual Note Card

Security checks across malware telemetry and agentic risk

Overview

This skill coherently creates visual note cards, with disclosed browser rendering and third-party font/script dependencies but no evidence of hidden data access or malicious behavior.

Install this if you want an agent to create HTML/PNG visual note cards. Be aware that generated HTML may contact Google Fonts and cdnjs when opened, and only render HTML content you trust with the Playwright export script. Check paths carefully before running the documented uninstall command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger conditions are broad enough to activate on generic requests to summarize content into a visual format, which can cause unintended routing of user tasks to this skill. In an agent ecosystem, overbroad activation can lead to inappropriate skill invocation, unexpected external resource usage, and reduced user control over output format and behavior.

Missing User Warnings

Low

Confidence: 74% confidence
Finding: The README describes the output as self-contained while noting exceptions for Google Fonts and html2canvas CDN, but it does not clearly warn users about the privacy, integrity, and availability implications of loading external resources. This can mislead users into treating the generated file as fully local and offline-safe when it actually makes third-party network requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal