Back to skill

Security audit

Hyperframes Creative

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate HyperFrames creative-direction skill, with some third-party network and optional helper-install behavior users should understand.

Install only if you are comfortable with a creative video-design skill that may create project-local .hyperframes files, run optional helper scripts, contact Google Fonts/jsDelivr in preview HTML, and temporarily bootstrap npm helper packages when you explicitly approve it. Prefer pinning helper versions and reviewing generated HTML before publishing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The file loads executable JavaScript from a third-party CDN at runtime, which creates a supply-chain and trust-boundary risk: if the CDN, package, or delivery path is compromised, arbitrary code will execute in the rendering environment. In this skill context, the template is otherwise a local preset for creative/design handling, so reaching out to the network for code is unnecessary and increases exposure rather than being required for core functionality.

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
The HTML loads Google Fonts from external domains, which causes network access when the showcase is opened and leaks viewer metadata such as IP address, user agent, and timing to third parties. In a skill expected to be a local design/showcase artifact, this adds unnecessary external dependency and weakens privacy and reproducibility.

Description-Behavior Mismatch

Low
Confidence
92% confidence
Finding
The file repeats external Google Fonts stylesheet loads later in the document, creating additional network-dependent behavior and redundant third-party requests. This increases privacy exposure and makes rendering dependent on external availability despite the file being a static showcase.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The preset fetches Google Fonts from external domains, which creates an unnecessary network dependency for what is otherwise a static local HTML artifact. This can leak usage metadata, weaken offline/reproducible rendering, and introduce supply-chain or privacy concerns if remote assets change or become unavailable.

Context-Inappropriate Capability

Low
Confidence
93% confidence
Finding
The file includes additional remote Google Fonts stylesheets later in the document, duplicating earlier external font fetches. This increases external dependency surface and unnecessary outbound requests without adding security value.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The loader can trigger dependency bootstrap and re-execute the current process, which is behavior far outside a creative-direction skill’s declared scope. Even with safeguards like --ignore-scripts, pinning checks, and interactive confirmation, this still introduces code-fetching and process-spawning capability that expands the attack surface and can surprise users in a context where they would not expect system-level package management.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code directly invokes npm to install packages into a temporary directory and then respawns Node with modified environment variables, giving the skill a software installation and execution pathway. In a skill advertised for creative-spec assistance, that capability is dangerous because it enables network-driven code retrieval and execution-adjacent behavior that exceeds user expectations and could be abused if package specs or environment controls are influenced.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The resolver searches package locations derived from environment variables and PATH-related node_modules directories, allowing ambient environment state to influence which module gets imported. In a trusted local tool this may be convenient, but in a skill context it weakens trust boundaries and can lead to dependency confusion or unintended module loading from attacker-controlled directories.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
Loading executable JavaScript from a third-party CDN expands the trust boundary and creates a supply-chain risk: if the CDN, dependency, or delivery path is compromised, arbitrary script executes in the page context. In this skill, GSAP is only used for easing previews, so the remote code execution surface is disproportionate to the feature provided.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The HTML pulls fonts from Google-hosted domains, which causes the client to make third-party network requests when the page is loaded. This can disclose user metadata such as IP address, user agent, and request timing without any in-file disclosure or consent mechanism, making it a real but low-severity privacy issue.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file loads GSAP directly from a third-party CDN at runtime, creating a supply-chain and integrity risk if the CDN response is tampered with, unavailable, or replaced. In this skill context, the HTML is intended to be copied into downstream projects and rendered automatically, so the external dependency expands the trust boundary and can enable arbitrary script execution in every consuming project.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The file loads GSAP directly from a third-party CDN at runtime, which creates a supply-chain and integrity risk if the CDN response is compromised, swapped, or unavailable. In this skill context, the HTML is intended to be copied into generated project assets and rendered by an engine, so the external dependency executes automatically rather than being a purely informational reference.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The file loads GSAP directly from a third-party CDN at runtime without any integrity pinning or local vendoring. If the CDN is unavailable, compromised, or serves unexpected content, the rendered composition could execute untrusted JavaScript in the consuming environment; in a skill/preset context that is copied into downstream projects, this supply-chain risk propagates broadly.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The file explicitly states 'Mono chrome stays Latin/digit-only,' which imposes a language/script restriction without any indication that the user requested or consented to that limitation. In a creative-direction skill, this can cause the agent to exclude or degrade non-Latin scripts, leading to unfair or incorrect outputs for multilingual users and reducing accessibility and localization support.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The file loads fonts from Google Fonts, which causes client browsers to contact a third-party service and disclose metadata such as IP address, user agent, and timing without any in-file notice or consent mechanism. This is primarily a privacy/compliance issue rather than code-execution risk, but it is still a real exposure whenever the showcase is opened.

Missing User Warnings

Low
Confidence
90% confidence
Finding
These additional stylesheet links trigger more third-party font fetches, expanding the same privacy and tracking surface beyond the initial preload links. The issue is low severity because it does not enable active compromise, but it does create unnecessary outbound requests and potential policy noncompliance.

Missing User Warnings

Low
Confidence
97% confidence
Finding
The file loads GSAP from a third-party CDN at runtime, which introduces a supply-chain and availability risk. If the CDN content is tampered with, blocked, or changed unexpectedly, the caption skin executes untrusted code in the page context; the skill context increases risk because this HTML is meant to be copied into projects and rendered as part of a composition pipeline.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The HTML causes third-party font downloads without any disclosure to the user or operator. In a creative-direction skill, this is a privacy/transparency issue because loading the file triggers external requests that may expose IP, user-agent, and access timing to Google.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The instruction to 'Run on every composition' creates an overly broad trigger that can cause the expansion routine to activate on nearly all requests, including cases where the user may not expect prompt rewriting or file output. In this skill, that broad activation increases the chance of unnecessary processing, unintended modification of user intent, and downstream actions being taken without sufficiently explicit user confirmation.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The skill instructs the agent to write output to `.hyperframes/expanded-prompt.md`, but the skill metadata/description does not clearly warn that this skill performs filesystem writes. Even though the target path is project-local, hidden or unexpected file creation can surprise users, overwrite prior work, or normalize silent state changes in a workflow.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The document instructs users to run a curl command against a third-party endpoint and process the result locally, but it does not explicitly warn that this makes an outbound network request or that the workflow depends on Google Fonts metadata availability and integrity. In a documentation skill, this is a real but low-severity supply-chain and privacy transparency issue: users may unknowingly contact an external service, and build or selection behavior can change if the remote data is unavailable or manipulated.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/package-loader.mjs:248

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/package-loader.test.mjs:54