Back to skill

Security audit

项目宣传页和长截图一键生成工具

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a local project-introduction generator, but it needs Review because it includes an under-documented Git clone path that can pass user input directly into a shell command.

Install only if you are comfortable with it reading the project directory you point it at and writing HTML/PNG outputs there. Avoid using any --git or remote-repository mode until the clone command is changed to a safe argument-array API with URL validation, and treat generated/opened HTML as potentially containing project metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises local project intro generation but the analysis indicates code capabilities for environment access and networking without any declared permissions. That creates a transparency and consent problem: users and the platform may not realize the skill can read sensitive environment data or communicate externally, which increases the risk of unintended data exposure if project contents or metadata are transmitted.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
This is a significant description-behavior mismatch: the skill claims to generate a local project intro page, but the implementation reportedly also clones remote repositories, accesses third-party services, invokes git, and uses Playwright/browser automation. Hidden remote fetching and browser execution materially expand the attack surface, can process untrusted content, and may expose local or repository data beyond what the user reasonably expects.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The README presents the skill as a local project intro generator, but the documented presence of `src/git.js` indicates repository cloning capability that is not explained or justified in the user-facing description. Hidden or under-disclosed network/file acquisition features expand the trust boundary and could allow unexpected retrieval and processing of remote content, which is risky for a tool expected to operate only on local directories.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Git repository cloning is a materially different capability from scanning a local project folder and generating HTML/PNG output. If exposed without clear disclosure and guardrails, it could be used to fetch untrusted remote repositories, process attacker-controlled content, or access internal repositories in environments where the user assumes the skill is local-only.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file dynamically injects a remote script from jsDelivr at runtime instead of bundling a local dependency. This creates a supply-chain and integrity risk: if the CDN, dependency, or network path is compromised, arbitrary JavaScript will execute in the skill's origin and can access page data, user content, and exported project information.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The manifest describes local project intro generation, editing, and export, but this code performs network retrieval of third-party executable code without clear necessity. That mismatch increases risk because users and reviewers may assume offline/local behavior while the skill actually expands trust to an external code host that can change behavior at runtime.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code builds a shell command with untrusted input using execSync(`git clone --depth 1 ${gitUrl} ${tempDir}`), which can lead to OS command injection if gitUrl contains shell metacharacters. In addition, pulling arbitrary remote repositories is broader than the declared skill purpose, increasing risk because it introduces network access and untrusted content retrieval without clear justification.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The function accepts arbitrary HTTP/HTTPS URLs and loads them in a headless browser, even though the skill is described as generating and exporting local project intro pages. This expands the trust boundary to remote content, enabling server-side request forgery style access to internal resources, unexpected network activity, and screenshotting of attacker-controlled pages if untrusted input can reach htmlPath.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Remote page loading is not necessary for the stated local-export purpose, so permitting it creates unnecessary attack surface. A caller who can influence htmlPath can make the process fetch attacker-controlled or internal URLs, causing unintended outbound requests and processing untrusted web content in Playwright.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger keyword "readme" is overly broad and could cause the skill to activate in unrelated conversations. In a skill that scans directories and generates files, accidental invocation increases the chance of unintended local file processing or disclosure of project metadata when the user did not mean to run the tool.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill description does not clearly warn users that it traverses the local project directory and analyzes code files. In context, this matters because repository scanning can reveal sensitive source code structure, dependency information, and embedded secrets or internal names, and users may not understand the scope of access being granted.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger keyword "readme" is overly generic and is likely to match many user requests that are not actually asking for a project introduction page. This can cause the skill to activate in unintended contexts, leading to prompt hijacking of unrelated workflows, user confusion, or inappropriate handling of sensitive repository content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/git.js:8