Back to skill

Security audit

Flex

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local Flexbox CSS helper that runs a Bash/Python script and saves layout data on disk as documented.

Install only if you are comfortable running a local Bash/Python script. It will create and update ~/.flex/data.jsonl, and export can write or overwrite a CSS file at the path you choose, so avoid secrets in layout names and use safe output paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises shell execution and persistent file writes to `~/.flex/data.jsonl` but does not declare any permissions or safety boundaries. This creates a transparency and policy-enforcement gap: an agent or reviewer may treat the skill as lower risk than it really is, while it can modify local state and consume environment/context through shell execution.

Session Persistence

Medium
Category
Rogue Agent
Content
# Flex — CSS Flexbox Layout Generator

A CLI tool for generating CSS Flexbox layouts. Create flex containers, configure alignment, justify, wrap, gap, and order properties, then export production-ready CSS code.

## Prerequisites
Confidence
74% confidence
Finding
Create flex containers, configure alignment, justify, wrap, gap, and order properties, then export production-ready CSS code. ## Prerequisites - Python 3.8+ - `bash` shell - Write access to `~/.flex

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.