Agentcad Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed CAD workflow helper that runs a scoped agentcad CLI and creates local model preview files.

Install this only if you are comfortable trusting the separate agentcad CLI and running generated CadQuery/Python CAD scripts locally. Use a project folder, and tell your agent to ask before running `agentcad view` if you do not want browser windows or local viewers opened automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to open generated files in the user's browser after every successful build, without requiring user confirmation or clearly warning about the side effect. Launching a browser is an external side effect that can disrupt the user environment, unexpectedly open local HTML content, and normalize unsafe handling of generated artifacts, especially when outputs may include active content such as viewer HTML.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The command reference reinforces a mandatory 'run this after every successful build' behavior for opening files in the browser, again without opt-in or disclosure. In this skill's context, the tool generates local artifacts including HTML viewers, so automatic opening increases the chance of unintended execution of active content and violates the principle of minimizing side effects in agent actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal