Algorithmic Art

Security checks across malware telemetry and agentic risk

Overview

This is a coherent generative-art skill with branding and external-resource caveats, but it does not show hidden access, persistence, credential use, or destructive behavior.

Reasonable to install for generating browser-based p5.js artwork. Before sharing outputs, consider asking the agent to remove or replace Anthropic-style branding unless you have permission, and be aware that generated HTML may contact cdnjs and Google Fonts when opened.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill description is broad enough to activate on generic art-with-code requests rather than only the intended niche of algorithmic/generative art. Over-broad routing can cause the agent to invoke a highly prescriptive skill in inappropriate contexts, leading to unwanted file creation, off-scope behavior, or mishandling of user intent.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The skill hard-codes Anthropic branding, layout, fonts, and visual identity as mandatory output regardless of user intent or authorization. This is risky because it can misrepresent generated artifacts as officially branded deliverables, create policy/compliance issues, and reduce the agent's ability to honor user requirements for neutral or custom presentation.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The template loads p5.js from cdnjs and fonts from Google-hosted domains, which creates a third-party dependency and causes users' browsers to contact external services when the viewer is opened. If those resources are unavailable, changed unexpectedly, or a CDN/account is compromised, the page could lose functionality or execute untrusted script; this is especially relevant because p5.js is executable JavaScript loaded at runtime.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal