Security audit

Html Report Generator

Security checks across malware telemetry and agentic risk

Overview

The skill appears to generate HTML reports, but its broad triggers and deploy behavior could publish user content with too little explicit control.

Install only if you want a skill that can create and potentially deploy HTML pages. Treat deployment as public unless proven otherwise, review generated content before hosting it, and avoid using sensitive personal, business, or internal data unless the skill is changed to require explicit deployment approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrases are generic enough that ordinary requests like '生成报告' or '制作网页' could invoke this skill unintentionally. Because the skill writes files and deploys generated HTML, overbroad activation increases the chance of surprising side effects and unauthorized publication of user-provided content.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill instructs the agent to write an index.html file and deploy it, but does not clearly warn the user that their input may be published as hosted content. In a report generator context, users may supply sensitive business, personal, or internal data, so silent deployment can cause confidentiality breaches and accidental data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal