Mobile Responsive Layout Fixer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a text-only responsive-design helper skill with routing-quality problems, not evidence of malware or hidden unsafe behavior.

Install only if you want a responsive UI workflow helper, and prefer invoking it explicitly for mobile layout or navbar issues. Be aware it may activate too broadly in frontend conversations, and treat its requirement-plan citations as weak until the publisher replaces unrelated evidence.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The evidence section claims validated demand for mobile responsiveness, but most cited links are unrelated topics such as Rust disk usage, R performance, C++ constants, and Windows Media Player. This undermines the provenance and trust model of the skill, making it easier to smuggle in unsupported or fabricated requirements and causing downstream users or agents to rely on false justification for activating or prioritizing the skill.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger sentences are broad and mechanically repeat the full requirement text, which can cause accidental or overly permissive invocation of the skill in contexts only loosely related to responsive design. In an agent ecosystem, ambiguous routing can expose users to irrelevant instructions, increase prompt-surface confusion, and make it easier for a low-quality or misleading skill to be selected when a narrower tool should have been used.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrases are broad enough to match ordinary user requests about responsive design, layout, or frontend work, which can cause the skill to activate in contexts the user did not explicitly intend. This creates an overreach/problematic routing risk: the agent may apply this workflow too often, potentially displacing more appropriate skills or injecting irrelevant instructions into normal conversations.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger keywords are broad enough to match many normal frontend conversations, which can cause the skill to activate outside its intended scope. Over-broad activation increases the chance of irrelevant instruction injection into unrelated workflows and can steer users toward this skill when a more appropriate or safer skill should handle the request.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The manifest description is phrased so broadly that it can apply to a large range of common design and frontend tasks, creating ambiguity about when this skill should be selected. In systems that route by description, this can cause mis-selection, unnecessary exposure of the skill's instructions, and interference with other skills meant for narrower tasks.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger keywords are broad enough to overlap with ordinary frontend conversations, such as generic mentions of layout, frontend, or responsive design. This can cause unintended skill activation, which may inject irrelevant workflow guidance into unrelated requests and reduce user control over when the skill is used.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill description defines activation conditions in a very broad way, covering multiple common topics without clear boundaries or disambiguation rules. In practice this can lead to over-triggering on normal design or frontend discussions, causing unintended use of the skill and potentially crowding out more appropriate handling.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill enables allow_implicit_invocation without defining any trigger constraints, so the platform may invoke it based on broad or ambiguous user intent matches. That increases the chance of unintended activation, causing the agent to apply this skill in contexts the user did not clearly request and potentially exposing downstream workflows to prompt-routing abuse or unexpected behavior.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger sentence starts with a very broad phrase ('Help me ...') and then embeds the full requirement text, which can cause accidental activation in unrelated conversations. Overbroad activation conditions increase prompt-surface risk because an agent may invoke this skill when the user did not explicitly request it, leading to incorrect behavior or unintended processing paths.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The phrase 'I need a practical workflow for ...' is generic enough that it may match many benign requests without a clear boundary to mobile UI work. In a skill-routing system, ambiguous triggers can cause unintended tool selection, which is dangerous because it expands the attack surface for prompt injection, misrouting, and user-confusing outputs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal