Kai Report Creator V1.23.3 Publish

Security checks across malware telemetry and agentic risk

Overview

This skill is a report generator with user-visible HTML export/edit features and CDN dependencies, but I found no evidence of hidden credential use, data theft, or destructive behavior.

Before installing, understand that generated reports can execute third-party CDN JavaScript unless bundled/offline, and that report files include local edit/export controls. Avoid opening sensitive reports with network access unless you trust those dependencies or use the bundled/offline path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (58)

Description-Behavior Mismatch

High

Confidence: 78% confidence
Finding: The README documents an end-to-end workflow that renders a report, screenshots it, and sends it to Telegram, which exceeds the declared report-creation scope and introduces an external transmission action. In agent environments, scope drift matters because operators may invoke or permit actions they did not expect, causing unintended data exfiltration to third-party services.

Description-Behavior Mismatch

High

Confidence: 92% confidence
Finding: The skill metadata says this skill does not handle exporting finished HTML to PNG/PPTX and should defer that to another skill, yet the README documents image export and Telegram delivery as if they are part of this skill's behavior. That mismatch can cause unsafe overreach by an agent, leading it to perform actions outside the declared trust boundary and potentially send generated content externally without the user selecting the appropriate specialized skill.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: Documenting direct Telegram sending gives the skill an implied messaging/integration capability unrelated to report creation. In an agent environment, such documentation can be treated as authorization guidance, increasing the chance that sensitive report contents are transmitted to third-party channels without appropriate consent, review, or policy checks.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The example report includes a hidden edit mode plus client-side save/export behavior, which goes beyond passive report rendering and enables modification of content directly in the browser. In a report-generation skill, this can mislead users about document provenance and enable silent tampering of generated artifacts without any integrity marker or warning.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: This demo artifact includes a hidden in-browser edit mode plus local save behavior, which expands the skill from report rendering into ad hoc document editing and export. That creates an undocumented capability boundary: users or downstream agents may treat the output as a trustworthy generated report when it can be silently modified in-browser and re-saved without provenance or warning.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The page allows content to be changed via contenteditable and then exported as a new HTML file with Ctrl/Cmd+S, exceeding the stated generation/review/rendering scope. In a report-creation skill, this is risky because modified artifacts can be redistributed as if they were original system-generated outputs, undermining integrity and auditability.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The example report includes hidden in-browser editing UI elements, which expands behavior beyond passive report rendering into local document modification. In a report-generation skill, undisclosed edit/save capabilities can mislead users about what the artifact can do and create an unexpected path for altering or exfiltrating document content.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The page enables arbitrary contenteditable editing across most report text elements through a concealed toggle and keyboard shortcut. That creates an undocumented authoring surface that can be abused to modify report contents without clear user awareness, which is risky in a tool intended to generate trustworthy business reports.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The Ctrl/Cmd+S handler exports the full current HTML document, including any edited content, as a downloaded file. This is an undeclared export capability that can facilitate silent copying of document contents and preserve manipulated versions of reports under the guise of a normal browser save action.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: This demo report contains a concealed in-browser edit mode trigger and associated editing controls that are not necessary for simply viewing a generated report. In a report-generation skill, embedding undocumented editing behavior expands the artifact's capability surface and can mislead users into modifying content or saving altered outputs without understanding that the HTML is interactive rather than a static deliverable.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The HTML binds Ctrl/Cmd+S to generate and download a full local copy of the current document, effectively adding an export workflow directly into the artifact. That conflicts with the skill's stated scope excluding finished HTML export workflows and creates hidden data-exfiltration-like behavior for any report content rendered in the page, including user edits or embedded sensitive business information.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The file dynamically injects a script from a public CDN at runtime, creating a supply-chain and integrity risk. If the CDN, package, network path, or dependency is compromised, arbitrary JavaScript would execute in the page context and could access the full report DOM and any embedded sensitive data before export.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The template embeds export controls for Print/PDF and PNG/JPEG generation even though the skill metadata says finished HTML-to-PPTX/PNG export should be handled by a different skill. This creates capability drift and can bypass intended separation of duties, increasing the chance that users invoke unsupported export behavior with fewer controls or reviews.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The page dynamically loads html2canvas from a public CDN at runtime to capture the report as images. This expands the skill beyond local report rendering into executable remote dependency fetching, which introduces supply-chain risk and network-side code execution in the user's browser context.

Context-Inappropriate Capability

Low

Confidence: 80% confidence
Finding: The template pulls highlight.js and Chart.js from public CDNs, causing the generated report to execute third-party code and fetch remote assets when opened. In a report-generation skill, that is broader than strictly necessary and introduces privacy leakage, availability dependence, and supply-chain exposure.

Description-Behavior Mismatch

Low

Confidence: 90% confidence
Finding: The template pulls executable JavaScript from third-party CDNs at runtime (Chart.js and highlight.js) without integrity pinning or local bundling. If the CDN, dependency, or delivery path is compromised, arbitrary script will execute in the context of the generated report, which is especially risky for a report generator that may render untrusted user content or be opened locally by users.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The code dynamically injects a script tag to fetch html2canvas from a CDN at runtime, creating an additional remote code execution surface in every opened report. Because this happens eagerly on page load, users are exposed even if they never choose export, and a compromised dependency could access all rendered report content in the DOM.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The template exposes built-in PNG/JPEG export actions even though the skill metadata explicitly says finished HTML-to-image export should be handled by a different skill. This scope expansion is security-relevant because it adds unreviewed functionality and increases the attack surface, especially when paired with DOM capture and file-generation code elsewhere in the template.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The code implements client-side screenshot/export behavior with html2canvas, which materially exceeds the declared purpose of report creation. Even without obvious code execution, this introduces extra privileged behavior—capturing rendered content, generating files, and handling cross-origin resources—that was not part of the approved scope.

Context-Inappropriate Capability

Low

Confidence: 89% confidence
Finding: The template loads executable JavaScript and styles from third-party CDNs at runtime. This creates a supply-chain and privacy risk: whoever controls or compromises those remote assets can alter behavior in every rendered report, and viewers' browsers will make external requests unrelated to the core templating function.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The export code dynamically injects a script tag to fetch html2canvas from a remote CDN at runtime, adding network-active behavior beyond the expected scope of a local report template. Dynamic remote script loading is especially risky because it bypasses static packaging review and gives remote code immediate execution in the page context.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The page loads executable JavaScript from a third-party CDN at runtime, creating a supply-chain and integrity risk. If the CDN, package, or transit path is compromised, arbitrary code executes in the context of the generated report, which is especially risky for a report template expected to be viewed locally and trusted by end users.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The export feature dynamically injects a remote script for html2canvas, adding hidden network-dependent executable behavior at the moment of export. This enlarges the attack surface and enables arbitrary script execution if the remote dependency is tampered with, while also undermining expectations that report generation/export is self-contained.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The template exposes direct PNG/image export actions even though the skill metadata explicitly states that exporting finished HTML to PNG should be handled by a different skill. This creates unauthorized capability expansion: users and downstream agents can bypass intended skill boundaries and invoke functionality that the manifest says is out of scope, undermining policy enforcement and review assumptions.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The template loads Chart.js from a remote CDN at render time, adding network dependency and third-party code execution to what should otherwise be a local report template. If the CDN response is tampered with, unavailable, or replaced, the rendered report executes untrusted JavaScript in the user's browser, affecting integrity and potentially exposing report contents or browser context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal