Create AI Miniprogram

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide normal project or skill setup commands, with no evidence of hidden data access, persistence, exfiltration, or destructive behavior.

Before installing, review the package or skill source and run setup commands only in a project directory you intend to modify. Be aware that npx/setup commands may create files, initialize git, and install third-party code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs the agent/user to run project-creating and setup commands (`mp-skills new`, `add`, `setup`) that modify the filesystem, initialize a git repository, and may install code from external sources, but it does not require an explicit warning or confirmation before those side effects occur. In an agent setting, this increases the risk of unintended local changes, dependency installation, or execution of unreviewed setup steps, especially because `npx` can fetch and run remote packages and the skill-install commands pull external content.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal