Back to skill

Security audit

develop-and-deploy-web-app

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent web-app builder that intentionally installs dependencies, starts local servers, and exposes a public demo URL, so users should avoid sensitive data unless they add protection.

Install only if you want Codex to create app files, install npm dependencies, start local Node services, and expose the result through a public URL. Do not store sensitive data in generated apps unless you add authentication and access controls, and stop or remove apps when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script can terminate any process identified by the PID stored in the app's metadata, and on Windows it escalates to a forced taskkill /F. Although ownership checks and safe token/username validation reduce who can invoke the script, they do not prove that the PID actually belongs to the app started by this skill, so a tampered or stale pid record could cause termination of an unrelated local process.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill's core behavior is to make a generated application reachable from outside the machine on a shared public port, but it does not require a clear user-facing warning about privacy, authentication, or data exposure. This can lead users to unintentionally publish sensitive content, local workspace data, or insecure demo apps to the internet.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script passes application tokens as command-line arguments to a child process, which can expose secrets through process listings, shell history in some invocation paths, crash logs, telemetry, or diagnostic tooling. In a skill designed to build and deploy web apps, these tokens are likely deployment credentials, so leakage could allow unauthorized deployment actions or takeover of managed app instances.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script prints the raw token in its JSON status output, which can expose a credential to terminal logs, shell history capture, CI logs, or any caller that consumes command output. In this skill, the token appears to be used for ownership validation and app identification, so disclosure could let another party query or interfere with an app instance if they also know or can infer the associated username.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.secret_argv_exposure

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/build-app.js:31

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/deploy-app.js:13

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/install-app.js:31

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/remove-app.js:19

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/restart-app.js:14

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/restore-apps.js:12

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/start-app.js:167

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/scaffold-app.js:588

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
README.md:16

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
references/scripts.md:7