Full-Stack Web Engineer

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly educational web-engineering guidance, but one API example could lead users to create an unauthenticated admin account path if copied into a real app.

Review before installing or using this skill for code generation. If used, do not copy the user-creation example as-is: self-service registration should assign a safe default role server-side, and privileged role assignment should require authenticated admin authorization.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The skill presents a user-creation route with no authentication while allowing the client to supply the role field and select admin. In a real implementation, this enables unauthenticated privilege escalation by self-registering an administrator account, directly undermining the authorization model described elsewhere in the document.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal