Back to skill

Security audit

Frontend Engineer

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only frontend development skill with broad routing defaults but no hidden execution, data access, or persistence behavior.

Install this if you want broad frontend, mobile, UI, game UI, and Minecraft plugin guidance. Specify the stack you want when making requests, because otherwise the skill may default to React, TypeScript, and Tailwind for generic UI work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are very broad and match common frontend-related requests, which can cause the skill to activate in situations where a narrower or more appropriate skill should handle the task. Over-broad activation increases the chance of unintended behavior, prompt collisions, and policy bypass through scope confusion, especially because this skill also covers many unrelated specializations.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill combines many distinct roles and technologies under one activation scope without clear constraints on when it should not run. This ambiguity can lead to inappropriate activation, instruction dominance over more specialized safety controls, and higher risk of the agent applying irrelevant capabilities in sensitive contexts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.