Back to skill

Security audit

Mobile Responsive Layout Fixer

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for helping with mobile responsive layout work; its main downside is that it may activate too broadly on general frontend requests.

Installers should expect this skill to provide workflow/checklist-style help for mobile responsiveness and navbar/layout fixes. Be aware it may activate on broad frontend or layout wording because implicit invocation is enabled; explicit skill invocation is preferable when you specifically want this workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger sentences are broad enough to match ordinary user requests about mobile responsiveness, layouts, or frontend help, which can cause the skill to activate when the user did not explicitly intend to invoke it. Over-broad activation increases the chance of misrouting requests, unexpected instruction injection into unrelated tasks, and reduced user control over which skill governs the interaction.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger keywords are broad enough to match many ordinary frontend conversations, which can cause the skill to activate outside its intended scope. Over-broad activation increases the chance of prompt/context injection into unrelated tasks, creates routing ambiguity, and may lead the agent to apply this workflow when a more appropriate skill or safer baseline behavior should be used.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The manifest description uses expansive 'use when' language covering generic topics like creative-and-content, mobile responsive, navbar, and layout without clear boundaries. This can cause accidental invocation on loosely related requests, widening the skill’s effective authority and increasing the risk of unintended behavior or interference with other skills.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger keywords are broad and include common frontend terms like "layout" and "frontend", which can cause the skill to activate during ordinary discussions that do not actually require this workflow. Over-triggering can route users into irrelevant guidance, reduce reliability of skill selection, and create opportunities for unintended instruction injection from loosely related prompts.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation description relies on vague natural-language conditions such as when the user asks about creative content, mobile responsive, navbar, or layout, without clearly defining boundaries for activation. This ambiguity increases accidental invocation risk and may cause the agent to apply this skill in contexts where its workflow is not appropriate or where other safer, more precise skills should be chosen.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill enables implicit invocation (`allow_implicit_invocation: true`) without any visible constraints on when it should activate. That can cause the agent to invoke this skill unexpectedly on broad user requests about design or layout, increasing the risk of prompt-scope confusion, unintended tool use, or an attacker steering the agent into this skill when it was not explicitly requested.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase 'Help me ...' is an extremely broad, everyday expression that can cause accidental or overly permissive skill activation. In an agent environment, broad activation increases prompt-scope confusion and may invoke this skill in contexts unrelated to responsive-layout work, creating opportunities for unintended behavior or misuse of the skill routing layer.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The phrase 'I need a practical workflow for ...' is ambiguous about when the skill should activate because it describes a generic request pattern rather than a clearly bounded task signature. This can lead to over-triggering for unrelated workflow requests, reducing isolation between skills and increasing the chance that the wrong skill handles user input.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.