Back to skill

Security audit

Superdesign

Security checks across malware telemetry and agentic risk

Overview

This UI design skill has a coherent purpose, but it asks for broad repository access, mutable remote instructions, global CLI installs, login, and persistent copied source context without enough user control.

Install only if you are comfortable with SuperDesign scanning substantial frontend code, writing persistent context files, installing or updating a global npm CLI, requiring account login, and sending selected source context to the SuperDesign service. Review and pin the remote instructions and CLI version where possible, approve exactly which files are passed as context, and exclude secrets, proprietary non-UI code, server logic, and sensitive configs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to copy full source code for shared components into generated markdown files, which goes beyond the minimum context needed for UI/UX assistance. This broad extraction can unnecessarily expose proprietary implementation details or embedded secrets from the repository into secondary artifacts that may later be shared, indexed, or transmitted.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Requiring recursive tracing of all local imports for key pages expands the skill from design support into broad repository introspection. That can reveal unrelated business logic, internal modules, or sensitive implementation paths simply because they are transitively imported, creating unnecessary data exposure and over-collection.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill instructs the agent to fetch a remote prompt at runtime and then follow its instructions automatically, giving externally hosted content authority over local behavior. This creates a supply-chain and prompt-injection risk: the remote file can change at any time and cause unexpected network access, file writes, or other actions beyond the declared UI/UX design purpose.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill mandates global CLI installation and authentication before any use, introducing system modification and credential-handling side effects that are not inherent to a design-assistance skill. If abused, this could lead to unauthorized package installation, execution of unreviewed code, or unnecessary login flows that expose tokens or browser-based auth to a third party.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The mandatory step to fetch 'fresh guidelines' at runtime allows live remote text to redefine how the skill behaves after distribution. That exceeds the manifest's static design-agent role and enables silent behavioral drift, including new instructions that may access files, call tools, or exfiltrate project context without review.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to automatically run `npm install -g @superdesign/cli@latest` when a flag is unavailable, which causes an unprompted global system modification outside the core design task. This expands the trust boundary to the npm supply chain and can change the host environment in a way the user did not request, making the behavior unsafe even if the stated goal is tool compatibility.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions direct the agent to write multiple files into `.superdesign/init/` without any explicit consent checkpoint or warning that the repository will be modified. Silent workspace modification is risky because it can introduce unexpected artifacts, affect commits, and normalize state-changing behavior that users may not have approved.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill requires automatic creation of directories, network fetching, and writing repo context files without warning the user about those side effects. Hidden side effects reduce informed consent and can surprise users by modifying repositories or transmitting context during what appears to be a simple design request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The automatic install-and-login flow changes the system state and may initiate authentication with an external service without any user-facing warning. This is dangerous because it can install unreviewed software globally, alter the environment, and prompt credential exchange unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill mandates repo-wide scanning and creation of `.superdesign/init/` analysis files before design work, but it does not require explicit user notification and consent before reading broadly and writing into the workspace. In practice, this can surprise users, overwrite files, leak more repository context than needed, and violate least-privilege expectations for a UI/UX design helper.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The same auto-update instruction also lacks any requirement to warn the user or obtain approval before performing a global npm installation. That means the skill can change developer tooling and execution environment as a side effect of normal use, which is especially risky because it is triggered by command incompatibility rather than explicit user intent.

Ssd 3

Medium
Confidence
98% confidence
Finding
Copying complete repository source files into generated context documents can leak secrets, internal comments, proprietary logic, and embedded tokens that may exist in frontend code or adjacent files. Even if intended for design fidelity, this creates a secondary aggregation of sensitive code that is easier to exfiltrate or mishandle than the original repository layout.

Ssd 3

Medium
Confidence
96% confidence
Finding
The requirement to include complete raw theme/config files such as Tailwind config, globals.css, and token files may expose sensitive internal configuration, private asset paths, or token values that are not necessary to accomplish design analysis. Aggregating these files into markdown outputs increases the chance of accidental disclosure through logs, prompts, or downstream sharing.

Ssd 1

High
Confidence
99% confidence
Finding
The skill grants a remote document operational authority by telling the agent to fetch it and then follow its instructions. This is a classic trust-boundary violation: remote content is mutable, unreviewed at execution time, and can direct actions inconsistent with user expectations or the skill's declared scope.

Ssd 1

High
Confidence
99% confidence
Finding
The 'fetch fresh guidelines' requirement explicitly allows externally hosted text to control current behavior on every run, effectively bypassing local review and versioning. In the context of an agent skill, this is especially dangerous because the model may follow newly introduced remote instructions that expand access to files, tools, or services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.