Back to skill

Security audit

Apple Design Skill

Security checks across malware telemetry and agentic risk

Overview

This is a design-instruction skill for generating Apple-style frontend pages, with the main practical privacy consideration being third-party fonts and images in generated HTML.

Reasonable to install for design assistance. Before using generated pages with private projects or publishing them, review and replace any Google Fonts or Unsplash/Pexels links if you need offline operation, strict privacy controls, or locally hosted assets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README states that the skill can use optional third-party image search APIs such as Unsplash/Pexels, but it does not warn users that prompts, keywords, or other request data may be sent to external services. In an agent-skill context, this matters because users may assume all processing stays local to the platform or model, leading to unintended disclosure of project context or sensitive query content.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill documentation states that image curation may use optional third-party APIs such as Unsplash/Pexels, but it does not clearly warn users that prompts, queries, or other content may be transmitted to external services. In an agent skill context, even optional outbound data flows should be disclosed because user-provided design requests can contain sensitive project details, making this a real but low-severity transparency/privacy issue.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill encourages use of third-party image APIs and direct external image hotlinks without requiring user consent, privacy disclosure, or host-environment network policy checks. In deployment, this can cause unsolicited outbound requests that leak user IP, headers, referrer context, and possibly sensitive page-generation context to external providers, creating privacy and policy-compliance risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.