p5

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a low-impact informational helper, though its description overstates what it actually does.

Install this only if you want a P5 information/reference helper. Do not expect it to create or export sketches unless the publisher updates the implementation; the exec permission is worth noting, but the supplied evidence shows only a narrow static script.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The manifest and prose describe P5 as a platform for interactive sketch creation, generative art, and visual programming. However, the only documented skill behavior in this file is to run `scripts/p5-info.sh` and present platform information, not to create sketches or perform creative coding actions.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The overview and example responses present the skill as enabling users to create and export sketches, implying operational creative tooling. Yet the 'How to Respond' section instructs the assistant merely to run an info script and report its output, which contradicts the broader functional portrayal of the skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal