Table Image

Security checks across malware telemetry and agentic risk

Overview

This skill coherently generates PNG table images, with limited and purpose-related network/cache behavior for emoji rendering.

Install this if you want PNG table output for chat platforms. Be aware that npm install will pull the Sharp image library, and tables containing emoji may contact jsDelivr/Twemoji and cache SVG files locally under the skill directory; use plain text or avoid emoji if you need fully offline rendering.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: This helper reaches out to a remote CDN and persists returned content to local disk, which expands the skill's capability beyond simple table-image generation. Even if intended for emoji rendering, network retrieval of unpinned third-party assets introduces supply-chain and privacy risk, and disk caching creates persistent side effects that are not obvious from the skill description.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: Unnecessary outbound network access is a real security concern when the advertised function is local table image generation. The code fetches SVGs from jsDelivr/Twemoji at runtime, so generated output depends on external infrastructure and may leak usage metadata or be influenced by compromised upstream content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal