Font Pairing

Security checks across malware telemetry and agentic risk

Overview

This font-design helper is coherent and locally bounded, with one minor local history-log privacy caveat.

Safe to install for normal font and design-reference use. Avoid passing private customer names, internal project names, URLs, or other sensitive text as command arguments unless you are comfortable with that text being retained locally in the skill's history file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script logs command names and user-supplied arguments to a persistent file under the user's data directory without notice or consent. If users pass project names, internal design references, URLs, or other sensitive text as arguments, that data is retained locally and may be exposed to other local processes, backup systems, or anyone with access to the account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal