Back to skill

Security audit

Colors CC

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed color and placeholder helper, but it sends image and color requests to a third-party service.

Install only if you are comfortable with generated color and placeholder requests going to colors-cc.top. Do not put secrets, private project names, customer data, or internal labels in placeholder text or URL parameters, and consider local or self-hosted assets for sensitive/internal work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (22)

External Transmission

Medium
Category
Data Exfiltration
Content
### 1. SVG Placeholders with Animation Effects
Generate dynamic, lightweight placeholders for UI mockups with various gradient and animation effects.
- **Endpoint**: `https://api.colors-cc.top/placeholder`
- **Params**: 
  - `w`: Width in pixels (default: 800, range: 50-4000)
  - `h`: Height in pixels (default: 400, range: 50-4000)
Confidence
91% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
- `speed`: Animation duration in seconds for non-static effects (default: 10, range: 1-30)
  - `attribution`: Include branding watermark (default: true). Set to `false` or `0` to disable. When enabled, adds a subtle "colors-cc.top" watermark (15% opacity) in bottom-right corner and HTML comment for viral sharing.
- **Examples**: 
  - **Static**: `<img src="https://api.colors-cc.top/placeholder?w=1200&h=630&text=Hero+Banner&palette=%23F06292,%2364B5F6" alt="Hero">`
  - **Holographic**: `<img src="https://api.colors-cc.top/placeholder?w=800&h=400&effect=holographic&palette=%2300FF41,%2300B8FF&speed=5" alt="Holo">`
  - **Mesh**: `<img src="https://api.colors-cc.top/placeholder?w=800&h=400&effect=mesh&palette=%23FFD6A5,%23FFADAD,%23E2A0FF&speed=8" alt="Mesh">`
- **Response**: SVG image with `Cache-Control: public, max-age=31536000, immutable`
Confidence
93% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
- `attribution`: Include branding watermark (default: true). Set to `false` or `0` to disable. When enabled, adds a subtle "colors-cc.top" watermark (15% opacity) in bottom-right corner and HTML comment for viral sharing.
- **Examples**: 
  - **Static**: `<img src="https://api.colors-cc.top/placeholder?w=1200&h=630&text=Hero+Banner&palette=%23F06292,%2364B5F6" alt="Hero">`
  - **Holographic**: `<img src="https://api.colors-cc.top/placeholder?w=800&h=400&effect=holographic&palette=%2300FF41,%2300B8FF&speed=5" alt="Holo">`
  - **Mesh**: `<img src="https://api.colors-cc.top/placeholder?w=800&h=400&effect=mesh&palette=%23FFD6A5,%23FFADAD,%23E2A0FF&speed=8" alt="Mesh">`
- **Response**: SVG image with `Cache-Control: public, max-age=31536000, immutable`
Confidence
93% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
- **Examples**: 
  - **Static**: `<img src="https://api.colors-cc.top/placeholder?w=1200&h=630&text=Hero+Banner&palette=%23F06292,%2364B5F6" alt="Hero">`
  - **Holographic**: `<img src="https://api.colors-cc.top/placeholder?w=800&h=400&effect=holographic&palette=%2300FF41,%2300B8FF&speed=5" alt="Holo">`
  - **Mesh**: `<img src="https://api.colors-cc.top/placeholder?w=800&h=400&effect=mesh&palette=%23FFD6A5,%23FFADAD,%23E2A0FF&speed=8" alt="Mesh">`
- **Response**: SVG image with `Cache-Control: public, max-age=31536000, immutable`

### 2. Fluid Animated Placeholders (Alias)
Confidence
93% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
### 2. Fluid Animated Placeholders (Alias)
Generate dynamic SVG gradients with smooth color transitions and animations.
- **Endpoint**: `https://api.colors-cc.top/fluid-placeholder`
- **Params**: 
  - `w`, `h`, `text`, `speed`, `attribution` (same as above)
  - `palette`: Comma-separated colors — HEX, RGB, or HSL (default: random, range: 2-10 colors)
Confidence
90% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
- **Params**: 
  - `w`, `h`, `text`, `speed`, `attribution` (same as above)
  - `palette`: Comma-separated colors — HEX, RGB, or HSL (default: random, range: 2-10 colors)
- **Example**: `<img src="https://api.colors-cc.top/fluid-placeholder?w=1200&h=400&palette=%23FFD6A5,%23FFADAD,%23E2A0FF&speed=8&text=Animated+Hero" alt="Warm Gradient">`
- **Response**: Animated SVG with smooth color transitions and `Cache-Control: public, max-age=31536000, immutable`

### 3. Random Colors
Confidence
90% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
### 3. Random Colors
Get a random HEX and RGB color with generation timestamp.
- **Endpoint**: `GET https://api.colors-cc.top/random`
- **Returns**: `{"hex": "#A1B2C3", "rgb": "rgb(161, 178, 195)", "timestamp": "2024-03-12T10:30:00.000Z"}`
- **Example**: Fetch this endpoint when you need random colors for mock data or UI components.
Confidence
86% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
### 4. Curated Theme Palettes
Fetch high-quality color sets for design inspiration.
- **Endpoint**: `GET https://api.colors-cc.top/palette?theme={theme_name}`
- **Themes**: `cyberpunk`, `vaporwave`, `retro`, `monochrome`
- **Returns**: `{"theme": "cyberpunk", "colors": ["#FCEE09", "#00FF41", ...], "count": 5}`
- **Example**: `fetch('https://api.colors-cc.top/palette?theme=vaporwave')`
Confidence
88% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
- **Endpoint**: `GET https://api.colors-cc.top/palette?theme={theme_name}`
- **Themes**: `cyberpunk`, `vaporwave`, `retro`, `monochrome`
- **Returns**: `{"theme": "cyberpunk", "colors": ["#FCEE09", "#00FF41", ...], "count": 5}`
- **Example**: `fetch('https://api.colors-cc.top/palette?theme=vaporwave')`

### 5. Universal Color Converter
Stateless conversion between HEX, RGB, HSL, and CMYK formats.
Confidence
88% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
### 5. Universal Color Converter
Stateless conversion between HEX, RGB, HSL, and CMYK formats.
- **Endpoint**: `GET https://api.colors-cc.top/convert?hex={hex}|rgb={rgb}|hsl={hsl}|cmyk={cmyk}`
- **Params**: Provide ONE of: `hex`, `rgb`, `hsl`, or `cmyk`
- **Returns**: `{"hex": "#FF5733", "rgb": "rgb(255, 87, 51)", "hsl": "hsl(10, 100%, 60%)", "cmyk": "cmyk(0%, 66%, 80%, 0%)"}`
- **Example**: `https://api.colors-cc.top/convert?hex=%23FF5733`
Confidence
91% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
- **Endpoint**: `GET https://api.colors-cc.top/convert?hex={hex}|rgb={rgb}|hsl={hsl}|cmyk={cmyk}`
- **Params**: Provide ONE of: `hex`, `rgb`, `hsl`, or `cmyk`
- **Returns**: `{"hex": "#FF5733", "rgb": "rgb(255, 87, 51)", "hsl": "hsl(10, 100%, 60%)", "cmyk": "cmyk(0%, 66%, 80%, 0%)"}`
- **Example**: `https://api.colors-cc.top/convert?hex=%23FF5733`
- **Error**: Returns `{"error": "Invalid color format"}` with status 400 if input is invalid

### 6. CSS Color Names Directory
Confidence
91% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
### 6. CSS Color Names Directory
Get all standard CSS color names mapped to their HEX values (~140 colors).
- **Endpoint**: `GET https://api.colors-cc.top/all-names`
- **Returns**: `{"AliceBlue": "#F0F8FF", "AntiqueWhite": "#FAEBD7", "Tomato": "#FF6347", ...}`
- **Example**: Use this to look up named colors like 'tomato' → '#FF6347'
Confidence
82% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
```html
<section class="hero">
  <!-- Animated hero banner with text -->
  <img src="https://api.colors-cc.top/placeholder?w=1200&h=600&text=Hero+Section&effect=mesh&palette=%23FFD6A5,%23FFADAD,%23E2A0FF&speed=10" alt="Hero">
</section>
<div class="features">
  <!-- Static placeholder images -->
Confidence
93% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
</section>
<div class="features">
  <!-- Static placeholder images -->
  <img src="https://api.colors-cc.top/placeholder?w=400&h=300&text=Feature+1&palette=%23F06292,%2364B5F6" alt="Feature 1">
  <img src="https://api.colors-cc.top/placeholder?w=400&h=300&text=Feature+2&palette=%234DB6AC,%2381C784" alt="Feature 2">
</div>
```
Confidence
92% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
<div class="features">
  <!-- Static placeholder images -->
  <img src="https://api.colors-cc.top/placeholder?w=400&h=300&text=Feature+1&palette=%23F06292,%2364B5F6" alt="Feature 1">
  <img src="https://api.colors-cc.top/placeholder?w=400&h=300&text=Feature+2&palette=%234DB6AC,%2381C784" alt="Feature 2">
</div>
```
Confidence
92% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
### Use Case 2: Generating Mock Data with Colors
```javascript
const palette = await fetch('https://api.colors-cc.top/palette?theme=vaporwave')
  .then(r => r.json())

const mockData = palette.colors.map((color, i) => ({
Confidence
90% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
id: i,
  name: `Item ${i+1}`,
  color: color,
  thumbnail: `https://api.colors-cc.top/placeholder?w=200&h=200&palette=${color.replace('#', '%23')},%23000000`
}))
```
Confidence
91% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
### Use Case 3: Color Picker Component
```javascript
async function getRandomColor() {
  const res = await fetch('https://api.colors-cc.top/random')
  const data = await res.json()
  return data.hex
}
Confidence
86% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
### Use Case 4: Universal Color Converter
```javascript
// Convert any color format to all formats
const result = await fetch('https://api.colors-cc.top/convert?hsl=hsl(200,50%,50%)')
  .then(r => r.json())
console.log(result.hex) // #4099BF
```
Confidence
91% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
By default, all SVG placeholders include a subtle branding watermark for viral sharing. Disable it for internal tools:
```
// With attribution (default - recommended for public-facing content)
https://api.colors-cc.top/placeholder?w=800&h=400

// Without attribution (for internal use)
https://api.colors-cc.top/placeholder?w=800&h=400&attribution=false
Confidence
90% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
https://api.colors-cc.top/placeholder?w=800&h=400

// Without attribution (for internal use)
https://api.colors-cc.top/placeholder?w=800&h=400&attribution=false
```

### ❌ Mistake 2: Fetching SVG and Re-processing
Confidence
89% confidence
Finding
https://api.colors-cc.top/

External Transmission

Medium
Category
Data Exfiltration
Content
const encoded = btoa(svg)

// GOOD - Use URL directly
<img src="https://api.colors-cc.top/placeholder?w=800&h=400" alt="Direct">
```

### ❌ Mistake 3: Invalid Dimensions
Confidence
92% confidence
Finding
https://api.colors-cc.top/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.