Back to skill

Security audit

Baoyu Electron Extract

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it locally extracts Electron app bundles, which is sensitive but clearly disclosed and user-directed.

Install only if you intentionally want an assistant to inspect or extract installed Electron applications. Prefer a dry run first, confirm ambiguous app names or prompts, avoid --force unless you mean to reuse an existing output folder, and treat extracted output as sensitive because it may include proprietary code, configuration, or secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad enough to match ordinary conversational requests like 'look inside <app>' or 'how is <app> built,' which can cause accidental invocation of a skill that extracts and decompiles installed Electron applications. In this context, unintended activation is more sensitive because the skill operates on local installed software and can expose bundled code and resources from the user's machine.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/main.ts:378