Snipgrapher - generate images from code snippets

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent guide for generating code-snippet images, with a disclosed npm fallback that users should treat as a supply-chain consideration.

Before using this skill in a sensitive repository, prefer installing or pinning a trusted snipgrapher version instead of relying on automatic `npx --yes`, and review any proposed config-file changes before the agent writes them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The guidance explicitly tells the agent to fall back to `npx --yes snipgrapher ...` when the tool is unavailable, which can trigger on-demand package download and execution from a registry. That expands the skill from using an installed local renderer to executing remote package code, creating supply-chain and unexpected code-execution risk if the package, resolution, or environment is untrusted.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The instruction to 'Ensure configuration exists (create/update `snipgrapher.config.*` first)' authorizes modifying repository files as a default behavior without requiring user confirmation. In an agent context, silent file creation or mutation can alter project behavior, overwrite existing configuration, or introduce persistence beyond the user's immediate request.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal