Back to skill

Security audit

Content Visual Forge

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed content-to-visual workflow with no packaged executable code or hidden privileged behavior.

Installers should treat this as a visual-content workflow skill. Review its broad activation scope and specify the source material, target platform, language, output size, and whether image generation or engineering rendering should be used. The scanned artifact does not show hidden code execution, credential handling, or data exfiltration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is broadly scoped across many common content-creation requests, which can cause the agent to invoke this skill in situations beyond the user's precise intent. Over-broad activation increases the chance of unintended tool use, misrouting, or excessive processing of user-provided content, especially when the skill handles multi-source inputs and downstream rendering decisions.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
Hard-coding Chinese legibility as a priority without checking user language, locale, or target audience can override user intent and produce inappropriate or misleading outputs for non-Chinese contexts. While not a classic security flaw, it is a policy/routing weakness that can cause incorrect content handling and reduce reliability in multilingual workflows.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.