Back to skill

Security audit

Html Anything

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real HTML-conversion helper, but it deserves review because it handles private exports, includes risky Discord token instructions, and overstates local-only privacy.

Review before installing. Do not paste or extract Discord user tokens for this skill, and treat every generated HTML file as sensitive because it may contain the original private data. Use redacted or minimized exports, avoid sharing outputs unless you have checked the embedded records, and prefer removing external font calls and replacing the 'never left your machine' footer text with wording that matches your actual model and processing setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The prompt instructs the generated page to claim that the vault 'never left your machine,' which can be false if note contents are transmitted to a remote model or service to produce the HTML. This is a deceptive privacy assurance that may cause users to share sensitive personal or corporate notes under an incorrect trust assumption.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly tells the agent to instruct users to obtain a Discord user token from browser DevTools and use it for export. A Discord user token is a highly sensitive credential equivalent to account access, so guiding users to extract it materially increases the risk of credential theft, account compromise, and violation of platform rules; this is especially dangerous because the skill’s purpose is HTML conversion, not secure credential handling.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The text minimizes policy and privacy risk by saying the output is 'fine to keep' while only softly cautioning users about sharing. That framing can encourage users to proceed with exporting and retaining sensitive chat data without adequately emphasizing consent, confidentiality, and potential terms-of-service or privacy violations.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file explicitly says the output must work offline with no external runtime calls, but the required footer carves out a Google Fonts exception. That exception still causes a third-party network request when the page is opened, leaking metadata such as IP address, user agent, and page access timing, which is especially sensitive given the page contains intimate reading-history data.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The footer promises that the transcript 'never left your machine' and was 'generated locally,' but the prompt also explicitly instructs the LLM to analyze transcript content to produce summaries, decisions, action items, and other insights. If the skill is implemented using a remote model or service, this statement is materially misleading and can cause users to share sensitive meeting transcripts under false privacy assumptions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The prompt promises that the user's Twitch export 'never left your machine' while also instructing generation of an LLM-derived observation from the user's watch history. If the implementation uses a remote model or external API, this creates a misleading privacy assurance and can cause users to disclose sensitive viewing and chat history under false assumptions. In this skill context, the data includes detailed behavioral history, which makes inaccurate privacy claims more dangerous than in a low-sensitivity artifact generator.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The footer text states that the full Twitch history never left the user's machine and is rendered client-side, but earlier instructions require an LLM observation derived from that same private history. This contradiction is security-relevant because it can deceive users about data handling and undermine informed consent for processing sensitive chat and viewing data. The skill context increases risk because users are asked to upload a rich personal archive containing habits, interests, and potentially intimate message content.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill's invocation scope is extremely broad, covering generic requests like making a webpage, dashboard, teaching site, or visualizing/analyzing arbitrary inputs. This can cause unintended activation on common user requests and route sensitive files, folders, URLs, or exports into a powerful transformation workflow without sufficiently explicit user intent for this specific skill.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instructions describe how to extract and use a Discord user token but omit strong warnings that the token is a secret granting account access and may expose the user to account takeover or enforcement action. In context, this omission is serious because a content-conversion skill should not normalize risky credential-handling workflows or teach users to bypass safer export methods.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly directs the generated page to render full email bodies, attachment metadata, and searchable thread content, which can expose highly sensitive personal and organizational information in a shareable HTML artifact. Although the footer includes a privacy note, it appears late and does not meaningfully mitigate the risk of accidental disclosure when users open, share, or screen-share the output.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This prompt explicitly tells users to export and upload Google Maps Saved/Starred data, which can reveal highly sensitive personal interests, routines, future travel plans, and private notes. In this skill context, the data is not incidental metadata but the core input, so the absence of any privacy warning, minimization guidance, or consent language materially increases the risk of exposing sensitive location information to the agent and downstream outputs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prompt explicitly instructs the generated HTML to expose the full event list, including description, full attendee list, organizer, location, and recurrence details, but provides no requirement for consent, redaction, or any user-facing warning that calendar exports often contain sensitive personal and organizational data. In this skill context, that is a real privacy/security issue because `.ics` files commonly include private meeting titles, email addresses, locations, travel plans, and internal descriptions, and the skill is designed to turn them into a polished, shareable HTML artifact.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill walks users through extracting and uploading `My Clippings.txt` before clearly foregrounding that the file can contain years of intimate highlights, notes, and behavioral history. That omission creates a consent and privacy risk because users may disclose sensitive personal reading data without understanding its scope before following the export workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The footer acknowledges a Google Fonts request, but the main skill description and workflow emphasize offline/local privacy without prominently warning that opening the generated page still contacts an external service. In the context of highly sensitive Kindle annotations, that silent third-party disclosure undermines informed consent and weakens the claimed privacy model.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The prompt tells non-admin users to use third-party export tools to extract Slack channel data but does not warn about privacy, authorization, or organizational policy constraints. In a skill explicitly designed to transform Slack exports into shareable HTML artifacts, this omission can encourage users to exfiltrate workplace communications or process other people’s content without informed consent or approval.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly tells users to upload Spotify privacy export files into Claude Code and suggests a third-party service as an immediate alternative, but it does not clearly warn that these exports contain highly sensitive behavioral data such as full listening history, timestamps, device/platform metadata, and potentially long-term personal patterns. In a skill that transforms local data into HTML, users may underestimate the privacy implications of sharing or processing such files, increasing the risk of unnecessary disclosure to the model, the tool environment, or external services.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The prompt explicitly encourages treating extensive Twitch viewing and chat history as a celebratory artifact and says it should 'not feel like a privacy alarm,' without adequately warning users that the export can contain highly sensitive behavioral and communication data. This framing can suppress appropriate caution and lead users to share or process private records they do not fully understand. In this context, the combination of watch history, chat logs, subscriptions, and bits can reveal interests, routines, relationships, and spending behavior, making minimization and notice important.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This style explicitly calls for linked evidence pits and a searchable record browser over activity streams such as Slack, Discord, sales, support, and chat data, but it does not require privacy gating, masking, or user consent before surfacing potentially sensitive records. In this skill context, the generated HTML artifact is meant to be polished and shareable, which increases the chance that private message content, names, or operational details are exposed more broadly than intended.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The style encourages using real topics, messages, or labels as animated 'sweat' fragments in the main motion, which can surface snippets of sensitive source text in a highly visible part of the page. Because this skill produces polished live HTML pages, these fragments may expose private chat content, customer data, or internal labels to viewers who would not otherwise see the raw source.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The style explicitly instructs generated pages to preserve a light paper-themed color scheme even when the browser prefers dark mode. This can degrade accessibility and user comfort in low-light conditions, and it overrides an important user-agent preference without opt-in, but it does not create a direct confidentiality, integrity, or code-execution risk. In this skill context, the issue is somewhat limited because it affects presentation of generated HTML rather than system security boundaries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.