Back to skill

Security audit

Hyperframes Animation

Security checks across malware telemetry and agentic risk

Overview

This animation skill is coherent and purpose-aligned; the main cautions are remote demo libraries and an optional dependency bootstrap path, not hidden or destructive behavior.

Before installing, treat the included HTML examples as online demos that may fetch CDN-hosted JavaScript. If you use the animation-map helper in a locked-down environment, prefer preinstalling or explicitly pinning the HyperFrames helper package with HYPERFRAMES_SKILL_PKG_VERSION, and avoid enabling automatic bootstrap unless you are comfortable with the shown npm package spec.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The file imports GSAP directly from a third-party CDN at runtime, which creates an external supply-chain and availability dependency. If the CDN content is tampered with, unavailable, or blocked, the example could execute unintended code or fail unpredictably, which is unnecessary risk for a local example asset.

Context-Inappropriate Capability

Low
Confidence
94% confidence
Finding
The file loads GSAP from a third-party CDN at runtime, which introduces an unnecessary external trust and availability dependency into an example that otherwise appears self-contained. If the CDN asset is tampered with, blocked, or changed unexpectedly, any consumer opening the example would execute unreviewed remote JavaScript.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file imports executable JavaScript from a third-party CDN at runtime, which creates a supply-chain and integrity risk: anyone controlling or tampering with that dependency path can execute arbitrary code in the viewer's browser. In this skill context, the example is presented as a self-contained animation scene, so silently depending on network-loaded code makes the artifact less deterministic and expands trust beyond the repository.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The HTML example loads executable JavaScript from a third-party CDN (`cdn.jsdelivr.net`) at runtime. In a skill that is described as local animation knowledge and blueprints, this introduces a supply-chain and trust-boundary risk because anyone opening the example executes remote code that can change independently of the skill contents.

Context-Inappropriate Capability

Low
Confidence
92% confidence
Finding
The file loads GSAP from a third-party CDN, which creates a supply-chain and availability dependency outside the local example. If the CDN response is tampered with, unavailable, or changed unexpectedly, anyone opening the example executes untrusted remote JavaScript in their browser.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The comments state the example is self-contained and needs no asset files, but it still depends on an external script. This mismatch can mislead users into trusting the file as offline/local-only when it actually pulls executable code from the network.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file-level comments state that bootstrapped dependencies are version-pinned and imply no floating versions are allowed, but the implementation can fall back to `@latest` when it cannot determine the bundled version. That weakens the supply-chain guarantee and can cause the skill to fetch whatever package version is current at install time, reducing determinism and increasing exposure to a newly published or compromised release.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The inline comment explicitly says `@latest` is acceptable and 'satisfies the pinned-spec guard', which normalizes a floating-version install despite the surrounding defense-in-depth claims. In a bootstrapper that performs network package installation, accepting `@latest` undermines reproducibility and increases supply-chain risk because the downloaded artifact can change over time without code changes.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The example silently fetches and executes external code without any disclosure to the user or reviewer. In a skill package expected to provide local animation knowledge/examples, undisclosed network execution reduces transparency and can surprise offline or security-sensitive environments.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The page silently loads executable code from a CDN with no user-facing notice. While common in demos, undisclosed network execution reduces transparency and can surprise users in environments that expect local-only examples or restricted outbound access.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
When version resolution fails, the code may construct `${packageName}@latest` and then proceed to a real `npm install` from the network after user or environment-based approval. Although `--ignore-scripts`, `--no-save`, and no-shell spawning reduce risk, the core issue remains a floating package fetch with weaker-than-advertised guarantees, which is a meaningful supply-chain vulnerability in a helper that auto-installs dependencies.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/package-loader.mjs:248

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/package-loader.test.mjs:54