2D Print

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward local printing skill, with the main risk being accidental printing or cancellation if the agent acts too broadly.

Before installing, make sure you are comfortable with an agent being able to submit or cancel local print jobs. Ask it to show the printer name, file path, copy count, color mode, and destination before printing, especially for remote or cloud printers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill metadata says it activates when users mention broad concepts like '2D 打印、打印图片、打印文件', which can easily overlap with ordinary conversational requests and cause the skill to trigger unexpectedly. Because this skill can invoke local print operations, over-broad activation increases the chance of unintended physical actions, wasted materials, or printing sensitive files without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents direct use of `lp` and `cancel` commands for printing and cancelling jobs, but it does not require explicit warnings or confirmation before irreversible operations are performed. In context, this is more dangerous because the skill controls a real local printer and names both a physical printer and a remote/cloud printer, so mistakes could waste paper/ink, disrupt active jobs, or send sensitive documents to unintended destinations.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal