Security audit

Ascii Tool

Security checks across malware telemetry and agentic risk

Overview

This appears to be a low-risk local ASCII utility, but its documentation advertises character-code inspection while the bundled script generates ASCII art.

Install only if you are comfortable with the mismatch: this version is not an ASCII code/encoding inspector as advertised; it is an ASCII-art generator. It does not appear to access private data, use credentials, contact the network, or persist anything.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The implementation materially differs from the advertised skill purpose: instead of inspecting ASCII codes or text encodings, it generates ASCII art. In an agent setting, this capability mismatch is dangerous because callers may trust the manifest and route sensitive text for analysis, while the tool performs unrelated transformations and could mislead downstream automation or users.

Intent-Code Divergence

Low

Confidence: 93% confidence
Finding: The module docstring explicitly advertises an ASCII art tool, reinforcing the mismatch with the manifest's encoding-inspection description. While not directly enabling code execution, this inconsistency increases the risk of deceptive or unsafe tool selection in automated agent workflows by obscuring the tool's true behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.