Chart Image

Security checks across malware telemetry and agentic risk

Overview

This skill coherently generates local chart images and shows no evidence of hidden data access, exfiltration, persistence, or destructive behavior.

Safe for normal chart generation. Before installing, be comfortable with npm installing the included dependencies, and when using it, keep chart/spec/output paths controlled by the runtime rather than arbitrary user text. Avoid sending charts containing sensitive data into shared channels unless that is intended.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 82% confidence
Finding: The skill instructs the agent to auto-apply dark mode based on Israel time, which imposes a specific locale/timezone without user consent and can cause behavior that does not match the user's environment or preferences. While not directly enabling code execution or data theft, hardcoding locale assumptions can lead to incorrect outputs, privacy-framing issues, and policy bypass of user or system defaults.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal