ClawHub
Back to skill

Security audit

pixelmsg

Security checks across malware telemetry and agentic risk

Overview

pixelmsg is a coherent HTML-to-image rendering skill, but its templates may load remote scripts, fonts, and one live weather API during rendering.

Install only if you are comfortable running a local Playwright renderer that may execute template JavaScript and contact third-party CDNs or Open-Meteo. Avoid rendering secrets or private reports with templates that load remote scripts unless you vendor assets locally or block network access, and use unique filenames when copying generated images into the workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README presents templates as self-contained and says to avoid external API calls at render time, yet it also documents a live weather template that depends on Open-Meteo. In a Playwright-based renderer, network-dependent templates expand the trust boundary to external services and can leak metadata, fail nondeterministically, or fetch unreviewed remote content during rendering.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The contradictory guidance can mislead agents or operators into treating templates as safe and self-contained when at least one documented template performs live external requests at render time. In this skill’s context, rendering user-facing HTML with Playwright makes hidden network activity more dangerous because it can introduce SSRF-like egress, privacy leakage, and unreliable output in automated agent workflows.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill explicitly claims there should be no external API calls at render time, yet the example template fetches Tailwind, Alpine, and fonts from public CDNs during rendering. This creates a supply-chain and privacy risk because rendering depends on third-party network resources that can change, fail, or exfiltrate metadata about the render environment.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to copy generated files into a broader workspace path outside the skill directory. Even if intended for attachment delivery, this expands filesystem write scope and normalizes writing to shared agent-controlled locations, which can be abused for overwriting files, planting artifacts, or crossing task boundaries if paths are not tightly constrained.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The template loads Alpine.js from a third-party CDN at render time, which introduces remote script execution into what should be a deterministic local image-rendering flow. If the CDN content is compromised, altered, unavailable, or unexpectedly updated, the rendering environment could execute attacker-controlled JavaScript, potentially accessing page data or abusing any browser/network capabilities available to Playwright.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The template fetches fonts from Google Fonts, creating unnecessary outbound network access and a supply/dependency risk for a local rendering task. While fonts are less dangerous than active scripts, they still leak metadata, reduce determinism, and can break rendering or enable tracking when the renderer makes external requests.

Context-Inappropriate Capability

Low
Confidence
92% confidence
Finding
The template loads remote assets from Google Fonts, gstatic, jsDelivr, and AlpineJS at render time. In an image-rendering skill, this creates unnecessary external network dependencies that can leak metadata, break determinism, and expose the renderer to supply-chain or content-tampering risk if a third-party resource changes or is compromised.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The template pulls remote assets at render time, including fonts and JavaScript from third-party CDNs, which means HTML-to-PNG rendering is no longer a purely local transformation. In a rendering skill, this expands trust boundaries and creates supply-chain and data-exfiltration risk if those resources are modified, unavailable, or observe request metadata.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The template executes remote JavaScript from Tailwind and Alpine CDNs inside the renderer. Any compromise of those CDNs, dependency drift, or unexpected script behavior would execute in the rendering environment, which is especially risky for an agent skill that may process sensitive prompts or internal data.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The weather card fetches live data directly from Open-Meteo rather than rendering only provided inputs. This turns a presentation template into a networked client, enabling unexpected outbound requests and making outputs depend on runtime connectivity and third-party behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This template fetches fonts and JavaScript from third-party CDNs during rendering, which breaks the implied local/offline trust boundary for an HTML-to-PNG skill. In a headless browser context, those requests can leak metadata, fail unpredictably in restricted environments, or expose rendering to supply-chain compromise if the CDN-hosted assets are tampered with.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The template loads third-party resources from Google Fonts, Google-hosted font infrastructure, jsDelivr, and AlpineJS at render time, which expands the trust boundary beyond local HTML rendering. In a Playwright-based image rendering pipeline, remote scripts and assets can change independently, introduce supply-chain risk, leak request metadata, or cause rendering-time network access that is unnecessary for a static card template.

Vague Triggers

High
Confidence
87% confidence
Finding
The trigger guidance is extremely broad, including 'when in doubt, prefer generating an image' and many generic content types. This can cause unintended invocation, increasing exposure to rendering, file creation, network-loaded assets, and downstream delivery behaviors even when a plain-text response would suffice.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The plan includes an unconditional `rm` command that deletes multiple files without any confirmation, safety checks, or guidance to verify the current working directory first. In an agent-executed workflow, this increases the chance of accidental data loss if the command is run from the wrong path or against an unexpected repository state.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow temporarily overwrites tracked template files and relies on `/tmp` backups for restoration, but it does not include safeguards for failures, interruption, or concurrent execution. If rendering or restoration fails, the repository can be left in a modified state, causing accidental corruption, bad commits, or loss of intended English content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal