QA Check

Security checks across malware telemetry and agentic risk

Overview

This QA skill is purpose-aligned and low risk, though its helper script does less than the documentation implies.

Installers should treat this as a lightweight QA checklist plus partial helper script, not a full deployment gate. Run it only on projects where you are comfortable executing npm build, and remember that browser, mobile, broken-link, and broken-image checks still require manual or separate automated verification.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill manifest claims mandatory QA coverage for browser functionality, mobile responsiveness, and broken link/image validation, but the script does not implement any of those checks. This creates a false sense of assurance: teams may treat a passing result as deployment-ready even though important runtime and UX regressions remain untested.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal