Back to skill

Security audit

Arc Text Icon (Upper-Arc Chinese Text)

Security checks across malware telemetry and agentic risk

Overview

This is a focused local image-rendering skill that writes user-requested PNG files and shows no hidden data access, networking, persistence, or privilege escalation.

Install this only if you want a local Python-based renderer that writes PNG files to paths you provide. Keep output paths in normal project or downloads directories, and treat the geometry notes as potentially inconsistent until the maintainer updates the documentation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill’s changelog says a geometry bug was fixed by changing the circle center to `cy = y_top`, but the Core Geometry section still documents `cy = y_top + r`. In a skill that is likely to be followed literally by an agent or maintainer, this contradictory guidance can recreate the prior off-canvas rendering bug, causing empty or misleading output and bypassing the intended reliability checks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.