hug-html

Security checks across malware telemetry and agentic risk

Overview

This skill is a local HTML template generator/editor with a low-risk HTML injection caveat when using untrusted content.

Install only if you are comfortable running local Python scripts that generate and write HTML files. Avoid feeding it untrusted content JSON or opening generated HTML from untrusted sources, because raw HTML or scripts may be preserved in the output.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Low

Confidence: 97% confidence
Finding: User-supplied content is inserted directly into HTML via raw string replacement with no escaping or sanitization. If the generated HTML is later opened in a browser, an attacker-controlled value can inject markup or script, leading to stored/self-XSS in the produced artifact.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal