Back to skill

Security audit

Design Spec Personal

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed UI design/spec generation skill with local preview and QA steps; no artifact-backed malicious behavior was found.

Before installing, understand that the skill may create files under designs/<project>, start a localhost preview server, use connected Figma/GitHub tooling for links you provide, and save approved design references for future reuse. Avoid approving or storing sensitive proprietary designs unless that local reuse is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The prompt explicitly authorizes shell commands, local HTTP serving, Node-based pipeline execution, and GitHub API access. For a design/spec generation skill, this meaningfully expands capabilities beyond core rendering/spec tasks and can be abused to access repository contents, execute unintended commands, or operate on local files if an attacker steers the model via task input.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to persist approved designs and lessons into reference directories and to reuse them in future sessions. This creates undeclared cross-session memory and data retention behavior, which can leak sensitive design artifacts, contaminate future outputs, or let adversarial content persist as trusted guidance.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation description includes very broad trigger terms such as general design, UI, prototype, mockup, wireframe, and common framework names. In an agent ecosystem, this can cause the skill to activate for a wide range of ordinary requests, increasing the chance that it hijacks unrelated tasks, changes behavior unexpectedly, or processes untrusted files and external inputs when not necessary.

Natural-Language Policy Violations

High
Confidence
96% confidence
Finding
The skill metadata and description are written to force Chinese-language behavior without any user opt-in, which can override user language preference and system behavior. For a spec-generation skill, this is especially risky because it can produce requirements, assumptions, and acceptance artifacts in an unexpected language, causing misimplementation, review failure, or downstream automation errors.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The alias trigger "arco" is generic enough to match ordinary product names, project codenames, or natural-language references unrelated to Arco Design. In this skill, aliases are used to select a design profile, so an overbroad trigger can cause unintended profile activation, leading the agent to apply the wrong design system, constraints, templates, or runtime behaviors based on ambiguous user input.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.