Live Preview

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it installs a tunnel tool and shares a local web preview, but users should understand that the preview URL can expose the dev server publicly.

Install only if you are comfortable making a local development server reachable through a public preview link. Before using it, serve only the intended app or directory, remove secrets from client bundles, avoid debug/admin routes and private test data, and stop the tunnel when the preview session ends.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs the agent to expose a local development server to the public internet via a tunnel, but it does not require any privacy, authentication, or data-scope warning before doing so. Development servers often expose unpublished code, debug endpoints, API keys in client bundles, or local-only content, so making them internet-reachable can unintentionally leak sensitive material or broaden attack surface.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal