SVG

Security checks across malware telemetry and agentic risk

Overview

The SVG skill appears to be a purpose-aligned helper for SVG work, with only a narrow disclosed preference file as persistent local state.

Before installing, expect the skill to retain SVG-related preferences in `~/svg/memory.md`. Do not put secrets or sensitive content in that preference file, and review or delete it if you want to reset the skill's memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This is a markdown file, so SQP-2 applies to omissions in user-facing warnings. The text states that preferences persist in `~/svg/memory.md` and that the file is created on first use, but it does not clearly warn the user that the skill may write to their filesystem and retain data over time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal