Security audit

pretext

Security checks across malware telemetry and agentic risk

Overview

This is a developer text-layout skill with disclosed optional browser/demo output, and I found no hidden data theft, destructive behavior, or automatic privileged action.

Install it like a normal developer tool in a trusted workspace. Prefer the numeric measurement scripts for routine use, review generated HTML/JavaScript before opening or pasting it into a browser, avoid running the CDN-based snippet on sensitive logged-in pages, and treat the unrelated crypto/purchase metadata tags as something the publisher should fix.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The README expands the skill’s advertised behavior from text measurement/layout into DOM rendering and particle animation generation. In an agent setting, this scope drift is dangerous because it can cause the agent to invoke capabilities that produce executable or renderable artifacts outside the declared trust boundary, increasing the chance of unintended code generation or misuse.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: Listing scripts such as DOM-rendering and particle-generation tools signals that the package contains capabilities beyond pure measurement. Even in README form, this matters because agents may rely on documented commands to decide what to execute, leading them to run artifact-generating workflows that were not expected from the stated skill purpose.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The examples explicitly instruct generation of HTML snippets and direct DOM-oriented output, which goes beyond passive analysis into content generation that could later be embedded in a browser context. That broadens the attack surface because agents may copy or execute generated markup without applying the stricter scrutiny normally used for code-producing skills.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: Advertising particle motion and animation generation is outside the stated text measurement mission and indicates feature creep into interactive content generation. In an agent ecosystem, mismatched capabilities make policy enforcement harder and can cause the skill to be selected for tasks that involve producing active browser content rather than safe arithmetic layout calculation.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The section documents render-dom.js producing HTML snippets and DOM-oriented rendering helpers despite the skill promising '无需触碰 DOM' / zero-DOM arithmetic measurement. This is dangerous because consumers may invoke the skill under the assumption it is computation-only, while it can emit executable or directly embeddable markup that affects browser contexts and expands the risk profile.

Description-Behavior Mismatch

Medium

Confidence: 83% confidence
Finding: The particle animation generator goes beyond text measurement into interactive HTML/Canvas demo creation, including browser-executable output. While not inherently malicious, it materially broadens functionality from passive measurement to active content generation, which can mislead agents about what the skill will produce and where that output may execute.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script emits browser code that loads a third-party library from unpkg at runtime, creating an external network dependency and supply-chain trust boundary that contradicts the skill's "pure arithmetic" and DOM-free positioning. In an agent context, generated snippets may be copied into privileged browser sessions, so a compromised CDN response, dependency drift, or unexpected network egress could execute untrusted code in the user's page context.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The file materially diverges from the declared skill purpose: instead of a pure text measurement/layout utility, it generates an interactive particle-animation HTML page with embedded JavaScript. In agent/tooling contexts, capability mismatch is dangerous because callers may trust the manifest and invoke the skill in higher-trust workflows, unintentionally granting file-generation and presentation behavior that was not expected or reviewed.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script writes a generated HTML file to disk, which is an unnecessary side effect for a skill advertised as arithmetic-only text measurement. Unexpected filesystem writes expand the attack surface in agent environments: they can create artifacts that are later opened, served, or trusted by users or downstream processes, especially when the HTML contains untrusted user-controlled content embedded into script and style contexts.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The file materially expands the skill from a claimed pure arithmetic text-measurement engine into a generator of executable HTML/JavaScript snippets intended to be pasted into a browser console. That mismatch is dangerous because downstream systems or users may trust the skill as non-DOM/non-scripted and then unknowingly introduce active client-side code into a page, increasing XSS and capability-scope risk.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: Interactive rendering features such as accordion HTML, chat bubble rendering, inline event handlers, and hover animation scripts go beyond passive layout calculation and create executable UI artifacts. In a skill advertised for precomputation and arithmetic-only measurement, this broadens the attack surface and may cause consumers to embed generated markup/scripts without appropriate sanitization or review.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The comments claim the engine does not touch the DOM, while the file explicitly renders DOM elements and emits browser-executable code. This deceptive or inconsistent documentation undermines security review and safe integration because operators may apply a lower-risk trust model than the code actually warrants.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/install-deps.js:41

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/test-compare.js:25

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/test-zh-en.js:20