Back to skill

Security audit

Create Web Form

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only web form skill with some outdated or unsafe example guidance, but no hidden execution, persistence, or data access behavior.

Safe to install as reference material, but review generated forms before deployment. Do not trust hidden fields, use server-side validation and authorization, use prepared statements for all user-controlled SQL, configure cookies securely, disable Flask debug mode in production, keep secrets in environment variables or a secret manager, and prefer hosted payment tokenization over raw payment-data handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation states that hidden fields 'cannot be seen or modified by users,' which is incorrect and unsafe guidance. Hidden inputs are trivial to alter with browser developer tools, proxies, or crafted requests, so readers may wrongly trust client-supplied values such as prices, roles, or account identifiers.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document correctly advises using prepared statements for user-supplied data, but earlier examples normalize direct SQL string construction for INSERT, UPDATE, DELETE, SELECT, and pagination patterns. In an agent skill context, example code is likely to be copied into real implementations, so inconsistent guidance can lead downstream users or agents to generate SQL-injection-prone code when adapting these patterns to live form input.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example sets cookies using insecure defaults: it omits the Secure and HttpOnly flags and does not warn readers that cookie values should not be trusted for security-sensitive purposes. In a form-building skill, developers may copy these examples directly into authentication, session, or preference flows, increasing exposure to interception over HTTP and client-side script access during XSS incidents.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The sample code starts Flask with debug mode enabled, which is unsafe if copied into anything beyond local development because debug mode can expose sensitive error details and, in some deployments, an interactive debugger. In a reference file for building web forms and Flask apps, readers may copy this snippet directly, so the omission of an immediate development-only warning makes the example materially risky.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.