Web Builder

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward app-scaffolding skill that creates local project files, with no evidence of hidden data access, exfiltration, or destructive behavior.

Install only if you want a local full-stack app scaffold. Use an explicit project name, generate into a new empty directory, review the generated files and package.json files before running npm install, and avoid invoking it casually with ambiguous phrases unless you intend code generation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The activation description is broad enough to trigger on common requests like 'build/create/scaffold a new app,' which can cause the skill to activate unexpectedly outside narrowly intended contexts. Over-broad invocation increases the chance of unreviewed code generation or script execution in contexts where the user did not explicitly request this specific skill, expanding attack surface and reducing operator control.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The phrase "just build it" is a very broad invocation condition and can cause the skill to activate in contexts where the user did not explicitly request this specific app-building mode. In an agent setting, overly permissive triggers can lead to unintended scaffolding actions, incorrect tool selection, or surprise execution of a high-impact workflow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal