Back to skill

Security audit

Generate professional social

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent social-card rendering tool, with expected web-image/font fetching and persistent skill installation that users should understand before enabling it.

Install only if you are comfortable with a persistent skill that can be auto-selected for visual-design requests. Review the install command and repository path first, prefer local or user-supplied images for sensitive material, approve any web searches/downloads, and render only HTML you trust because embedded resources may make outbound requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The template loads fonts from fonts.googleapis.com and fonts.gstatic.com, which causes outbound network requests when the HTML is rendered. In a local visual-rendering skill, this introduces unnecessary third-party dependency, leaks metadata such as IP/user-agent/referrer, and creates non-deterministic rendering if the external service is unavailable or changed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes sourcing images from external services and downloading them locally, but it does not clearly require user consent or warn that portions of user requests, search terms, or URLs may be sent to third-party services. In an agent setting, this can lead to unintended data disclosure, especially when source content contains sensitive text, screenshots, or proprietary product information.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The install/update instructions encourage giving an AI agent shell access to clone repositories and run git commands in the user's home directory without warning that this changes the filesystem and executes developer tooling. While common for local skills, this still creates avoidable risk if users do not understand the scope of agent actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly encourages users to ask a shell-capable AI agent to clone and update a repository in the user's home directory. That creates a prompt-to-shell execution path without any warning to review commands, confirm target paths, or understand filesystem changes, which increases the risk of unintended command execution if the repo or pasted instructions are modified or spoofed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This section tells users to paste shell-executing installation steps into 'any AI agent' and states the agent will automatically complete installation. Normalizing autonomous command execution across arbitrary agents is risky because users may not inspect commands, permissions, or side effects before the agent clones files and writes into persistent skill directories.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The quick-start examples are generic natural-language requests that could cause the skill to trigger in situations beyond the author's intended scope, because they lack explicit activation boundaries, exclusions, or routing guidance. In an agent environment with multiple skills, this increases the chance of accidental invocation, misrouting, or unreviewed execution of rendering-related workflows.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill enables implicit invocation but does not define any trigger constraints, scope limits, or exclusion conditions. That means an agent may auto-select this skill in broader contexts than intended, causing unreviewed content generation or unintended handling of user data and prompts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script loads arbitrary HTML from the task directory into a real Playwright browser using page.setContent(..., { waitUntil: 'networkidle' }), which allows embedded resources such as images, fonts, CSS, and scripts to make outbound network requests during rendering. If untrusted HTML is processed, this can leak environment metadata, trigger unexpected external connections, and potentially enable SSRF-style access to internal network services from the rendering host.

Session Persistence

Medium
Category
Rogue Agent
Content
> Install the `guizang-social-card-skill` Claude Code skill for me. Steps:
>
> 1. Make sure `~/.claude/skills/` exists (create if not)
> 2. Run `git clone https://github.com/op7418/guizang-social-card-skill.git ~/.claude/skills/guizang-social-card-skill`
> 3. Verify: `ls ~/.claude/skills/guizang-social-card-skill/` should show `SKILL.md`, `assets/`, `references/`
> 4. Tell me when done. Later, saying things like "make me a Xiaohongshu carousel" will trigger this skill.
Confidence
86% confidence
Finding
create if not) > 2. Run `git clone https://github.com/op7418/guizang-social-card-skill.git ~/.claude/skills/guizang-social-card-skill` > 3. Verify: `ls ~/.claude/skills/guizang-social-card-skill/` sho

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.