Unity Level Design Patterns skill.

Security checks across malware telemetry and agentic risk

Overview

This Unity prototyping skill is coherent, but some editor menu actions can delete or overwrite scene/project content without confirmation or undo support.

Install only if you are comfortable using it on copied, disposable, or version-controlled Unity projects. Treat its lighting, player setup, quick setup, baked-lighting, and terrain-generation menu commands as potentially destructive because they may replace existing scene objects or project assets without asking first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (9)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The menu action destroys Light and ReflectionProbe GameObjects in the open scene immediately, with no confirmation dialog, no undo registration, and broad name-based deletion for lights containing "Sun" or "Light". In a Unity Editor automation context, this can cause accidental loss of scene setup and significant workflow disruption if triggered unintentionally or used on a scene containing important lighting objects.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Clearing baked lighting immediately modifies scene/project lighting state and may discard generated bake data without any user warning, confirmation, or undo-friendly guardrails. In a level-design skill, this is especially relevant because users are likely to invoke editor menu commands during production scenes, making accidental destructive state changes more plausible.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The menu action immediately destroys any existing object tagged 'Player' with DestroyImmediate before creating a replacement, without prompting the user or integrating an undo-safe workflow. In a Unity Editor automation skill, this creates a real integrity risk because an editor user can accidentally lose scene content or custom player setup simply by invoking the menu item.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This menu action has the same destructive behavior: it locates an existing 'Player' object and removes it immediately with no confirmation, making accidental data loss possible during normal editor use. In level-design tooling, users may have customized prefabs, scripts, or scene references attached to that object, so silent replacement is unsafe.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The top-down controller creator also deletes an existing Player object immediately, which is a true destructive-editor behavior issue rather than a false positive. Although not an exploit in the traditional remote-code sense, it can still harm project state by removing scene objects and associated configuration without user consent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The menu action performs broad scene mutations immediately: it creates terrain, lighting, post-processing objects, and a player without any confirmation, dry-run preview, or undo/backup workflow. In an editor automation skill this is not remote code execution, but it is still a real integrity/safety issue because a single click can unexpectedly alter an open scene and disrupt user work.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code writes a TerrainData asset directly to a fixed project path (Assets/TerrainData.asset) with no disclosure, uniqueness check, or confirmation. This can silently overwrite or collide with an existing asset, causing project data loss or confusing changes to source-controlled content.

Missing User Warnings

High

Confidence: 98% confidence
Finding: SetupLighting enumerates all Light objects and immediately destroys every directional light in the scene. This is dangerous because it irreversibly removes existing authored lighting setup without warning, and in a level-design workflow lighting is often high-value scene content.

Missing User Warnings

High

Confidence: 98% confidence
Finding: CreatePlayerController searches for an object named Player and destroys it immediately before creating a new one. In context, this is especially risky because the skill is designed for rapid Unity scene editing, so users are likely to have legitimate player prefabs or configured controllers that would be silently removed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal