Security audit

Shadow

Security checks across malware telemetry and agentic risk

Overview

This is a CSS shadow generator whose local script and storage behavior match its stated purpose.

Install only if you are comfortable running a local Bash/Python CLI. Expect saved presets in ~/.shadow/data.jsonl, and review any --output path before generating preview files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill describes persistent local storage in `~/.shadow/data.jsonl` and generation/export/preview workflows that imply file read and file write behavior, but it does not declare any permissions or provide explicit capability boundaries. This creates a transparency and governance gap: an agent or reviewer may invoke the skill without understanding that it reads from and writes to the local filesystem, increasing the risk of unintended data exposure or modification.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The description says the skill should be used whenever a user needs shadow effects, presets, animations, and related design tasks, which is broad enough to trigger on many generic frontend or CSS requests. Overly broad invocation language can cause the skill to activate in contexts where it is unnecessary, leading to unexpected file operations or command execution associated with the tool.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal