Security audit

Academic Figures

Security checks across malware telemetry and agentic risk

Overview

This is a local academic chart generator whose code matches its stated purpose and does not show hidden data access or network behavior.

Install this for local chart generation from data you intentionally provide. Be aware that generic plotting requests may activate it, and choose input and output paths carefully because the tool reads the input file and writes or overwrites the requested output file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger list contains broad phrases like 'make figure', 'generate chart', and 'plot data', which can match many ordinary requests and cause the skill to activate outside its intended scope. Over-broad activation increases the chance that an agent invokes local file-reading or script-execution behavior unexpectedly, which can lead to unintended data handling or unsafe tool selection.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.