Security audit

CocoLoop Skill Factory

Security checks across malware telemetry and agentic risk

Overview

This is a coherent skill-building factory, but users should review its network searches, local build steps, and bundled reference skills before running generated artifacts.

Install this only if you want a meta-skill that searches external registries, checks the local development environment, fetches reference skills, and generates skill packages. Before running generated or bundled reference scripts, review their dependency installs, output paths, implicit-invocation settings, and any browser/session automation guidance.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (31)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ) if chromium_check.returncode != 0 or "chromium" not in chromium_check.stdout.lower(): print("[html_to_png] Installing chromium browser...", file=sys.stderr) subprocess.check_call( [sys.executable, "-m", "playwright", "install", "chromium"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL )
Confidence: 89% confidence
Finding: subprocess.check_call( [sys.executable, "-m", "playwright", "install", "chromium"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: import playwright except ImportError: print("[html_to_png] Installing playwright...", file=sys.stderr) subprocess.check_call( [sys.executable, "-m", "pip", "install", "playwright", "-q", "--break-system-packages"], stdout=subprocess.DEVNULL
Confidence: 95% confidence
Finding: subprocess.check_call( [sys.executable, "-m", "pip", "install", "playwright", "-q", "--break-system-packages"], stdout=subprocess.DEVNULL )

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill claims it does not access files outside ~/workspace/presentations/, yet elsewhere instructs the agent to inspect ~/workspace/SOUL.md and ~/workspace/AGENTS.md. That mismatch weakens user trust and can cause the agent to read broader workspace data than the stated boundary, potentially exposing unrelated sensitive information.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The header asserts that all user-provided input is code-enforced sanitized, but the script writes deck content and most metadata fields directly to disk and later feeds them into downstream exporters. That mismatch is dangerous because operators may trust the script’s safety guarantees and pass untrusted content into pandoc or helper scripts that may interpret embedded directives, links, or active content.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script combines HTML-to-PNG conversion with implicit installation of both Python packages and browser binaries, creating environment mutation and external fetch behavior that is not essential to its primary function. This is dangerous in agent ecosystems because it can trigger unexpected network access, alter system state, and increase exposure to dependency compromise or policy violations.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill’s stated purpose is text-to-presentation conversion, but it also instructs writing artifacts into a specific local Obsidian vault path without requiring user confirmation. This expands behavior from content transformation into filesystem side effects, which can surprise users, overwrite files, or place generated content into sensitive personal knowledge repositories.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill advertises local text conversion but also permits fetching arbitrary URLs, which introduces network access and possible exfiltration or retrieval of untrusted remote content. That materially broadens the trust boundary and can cause the agent to contact attacker-controlled endpoints or process hostile data without user awareness.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs use of Cocoloop/ClawHub/GitHub search and reference fetching, including pulling candidate skills locally, without an upfront user warning that external services will be contacted and remote content may be copied into the workspace. This can leak search terms or repository targets externally and introduces supply-chain and data-handling risk from untrusted retrieved content.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The mandated environment-detection step collects platform, system, shell, browser, and local tool information before a clear user-facing privacy warning or consent step. Even if intended for compatibility planning, this is sensitive host fingerprinting data and can expose details unnecessary for users who only wanted documentation or high-level guidance.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The default prompt encourages invoking the meta-skill in a broad, catch-all way ('turn a rough skill idea into a complete multi-platform skill package') without clear scoping, consent, or trigger constraints. In a skill-factory context, this can cause the agent to over-apply the skill to vague requests and amplify downstream risk by generating complex artifacts, plans, or packaging steps before user intent and safety boundaries are clarified.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The instructions explicitly tell the user to keep the target site logged in and then use a browser bridge/automation workflow, but they do not warn that the extension and CLI may operate with the user's authenticated browser context and therefore access session-backed data. In a browser-access skill, that omission is security-relevant because users may unknowingly expose sensitive account data, perform actions on live accounts, or over-trust generated commands against already authenticated sites.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The generated Codex manifest sets `allow_implicit_invocation: true`, which permits the skill to be invoked without explicit user opt-in. In a skill factory context, this broadens the blast radius of any generated skill—especially because generated skills may later gain tool access, file access, or side-effecting behavior, making accidental or policy-bypassing invocation more likely.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The activation trigger includes broad language like "or similar"/natural-language matching, which can cause the skill to activate on ambiguous requests. In an agent that performs filesystem operations and exports files, overbroad triggering increases the chance of unintended actions or setup steps being run without sufficiently clear user intent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The first-run instructions direct the agent to copy a helper script into the user's workspace and chmod it executable, but do not require a prominent user-facing warning or consent before modifying the filesystem. Even if the operations are low-complexity, they persist code in the workspace and expand the skill's execution footprint.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation exposes a delete capability without a strong, prominent warning about permanent data loss in the command description itself. Although later sections mention confirmation in some contexts, the helper usage presents deletion as a routine operation, which raises the risk of accidental destructive use by the agent or user.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill explicitly instructs the agent to fetch remote URLs and read local files, but it does not require clear user consent messaging or boundary checks around those actions. In an agent environment, this can lead to unintended access to local data or network resources if the skill is auto-invoked from an ambiguous request or if the source is not clearly user-supplied and approved.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The PNG export path goes beyond simple content transformation and instructs starting a local HTTP server, launching browser automation, injecting JavaScript, and running a bundled script. In a real agent runtime, these actions expand the operational attack surface and can execute tooling with filesystem, network, and browser capabilities without clearly stating safety prerequisites, trust boundaries, or consent requirements.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill enables implicit invocation, but its description and default prompt do not narrowly define when the agent should call it. This can cause the platform to invoke the PPT-generation skill in situations where the user did not clearly request slide creation, leading to unintended tool use, unnecessary data transfer into the skill context, or workflow manipulation.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad enough to activate on many common requests about presentations, increasing the chance the skill runs in contexts the user did not intend. Over-broad activation is risky here because the skill also performs filesystem writes and may fetch URLs, so accidental invocation can lead to unintended side effects.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Writing output to a fixed local directory without warning or confirmation creates an unauthorized local side effect and may expose sensitive content in a predictable location. In this context, the hard-coded path appears user-specific, making the behavior especially error-prone and privacy-impacting if the generated slides contain confidential material.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Fetching arbitrary URLs without warning introduces undisclosed network access and sends user-supplied targets to external systems, which may leak metadata or retrieve hostile content. Because the skill’s main purpose is document conversion, this extra capability is more dangerous than necessary and should not happen silently.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger conditions are broad enough to activate on generic requests like 'summarize this article' or 'one-pager summary,' which can cause the skill to run when the user did not explicitly request this specific visual-card workflow. In an agent ecosystem, overbroad activation can lead to unintended prompt steering, incorrect output formats, and interference with other skills better suited to the request.

Natural-Language Policy Violations

Medium

Confidence: 83% confidence
Finding: The README describes the skill as generating professional Chinese visual note cards, which can bias the agent toward Chinese-language output even when the user did not opt in. This is risky because it can override user preference, produce unexpected content, and create prompt-scope confusion in multilingual environments.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger description is broad enough to capture generic requests like summarization, one-page summaries, or style-matching tasks that may belong to other skills. In an agentic routing system, this can cause mis-selection of the skill, leading to unnecessary file generation, external script execution, and outputs that do not match user intent.

Natural-Language Policy Violations

High

Confidence: 95% confidence
Finding: The skill description commits to generating professional Chinese visual note cards by default, which overrides user language preference and can force unexpected locale behavior. In multi-user or multilingual environments, this can cause policy conflicts, miscommunication, and incorrect outputs when the source material or requested audience is not Chinese-speaking.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal