Back to skill

Security audit

Textbook Virtual Simulator

Security checks across malware telemetry and agentic risk

Overview

The skill’s core purpose is coherent, but its generated apps persist learner activity and depend on third-party CDNs without clear consent, retention, or deployment warnings.

Review before installing or using in a school or learner-facing setting. Only process materials you are authorized to use, inspect generated code before deployment, disclose any learner progress or analytics tracking, provide a way to clear stored data, and consider vendoring or pinning third-party web dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to read user-supplied materials and write generated application files, but it does not declare corresponding permissions or execution boundaries. This creates a mismatch between advertised privileges and actual behavior, increasing the risk of unintended file access, unsafe writes, or reviewers underestimating the skill's operational reach.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The generated JavaScript persistently stores detailed user action history and learning metrics in localStorage, including timestamps, session IDs, pages, quiz results, and progress, without any minimization, retention control, or sensitivity review. In an education context this creates unnecessary behavioral profiling data that can be read by any script running on the same origin, increasing privacy and data exposure risk if the hosting app later suffers XSS or includes untrusted scripts.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The generator emits HTML that automatically loads JavaScript and CSS from multiple public CDNs (unpkg, jsDelivr, cdnjs, Google Fonts). This creates a software supply chain and privacy risk because every generated app depends on remote third parties at runtime, and a compromise, outage, or policy change in those services can alter application behavior or leak user metadata. In the context of an educational simulator generator, this network-fetch behavior is broader than the stated file-to-webapp transformation role and should be treated as a real security concern.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script’s stated purpose is generating interactive learning components, but it also generates persistent progress tracking and analytics/event collection logic. That expands data collection beyond minimally necessary UI generation and can create privacy and consent issues, especially because learner actions and milestones are recorded and exposed through analytics hooks without any explicit opt-in or retention controls.

Context-Inappropriate Capability

Low
Confidence
94% confidence
Finding
The generated ProgressTracker stores learning progress persistently in localStorage under a fixed key, which causes activity data to remain on the device across sessions. While not inherently code-execution dangerous, this is a privacy/security weakness because any script running on the same origin can read it, and shared devices may expose previous users’ progress.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough to activate on many general education, visualization, or simulation requests, which can cause the skill to run in contexts the user did not clearly intend. Because the skill can process materials and generate complete web applications, over-triggering raises the chance of unnecessary file handling or unreviewed code generation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes parsing uploaded materials and producing deployable web applications, but it does not warn users about sensitive content handling, generated-code review needs, or the risks of deploying output without validation. In this context, the omission is meaningful because educational source materials may contain proprietary data and generated web apps can introduce downstream security issues if trusted blindly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance explicitly encourages collecting user behavior, performance, error logs, and learning-effectiveness data, but does not pair that recommendation with privacy safeguards such as informed consent, data minimization, retention limits, anonymization, or access controls. In an educational simulator context, this can lead builders to implement broad learner telemetry by default, potentially exposing student data and creating compliance risk under privacy laws and school policies.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The generated tracker initializes automatically, restores prior sessions, and logs detailed user actions without any user-facing notice, consent flow, or configuration gate. In a teaching simulator this is more dangerous because learners may be minors or in regulated educational settings, making silent behavioral tracking a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The generated app stores progress, quiz state, and analytics data in localStorage without any consent flow, retention controls, or sensitivity review. localStorage is readable by any script running on the same origin, persists indefinitely, and can expose user learning activity or derived analytics if the generated app later includes vulnerable or third-party scripts; this is more concerning here because the generator already injects remote CDN dependencies into the produced app.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.