mo-test-1

Security checks across malware telemetry and agentic risk

Overview

This skill appears safe for generating p5.js browser art, with a notable but non-security concern that it pushes Anthropic-style UI branding.

Reasonable to install for p5.js generative art. Be aware that generated HTML may contact public CDNs for p5.js and fonts, and consider removing or neutralizing the Anthropic-style branding before publishing or sharing outputs to avoid implying affiliation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to copy Anthropic-branded template content verbatim rather than only using it as a neutral structural reference. That creates unnecessary propagation of proprietary branding/UI elements and expands the skill's behavior beyond creating original generative art, increasing the risk of impersonation, unauthorized brand use, or policy-bypassing wrapper reuse.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Mandating preservation of Anthropic branding and exact styling is not necessary for an algorithmic-art skill and can cause outputs to appear officially affiliated or endorsed. In this context, the branding requirement is more dangerous because the skill's legitimate purpose is art generation, so forced brand mimicry is unrelated capability creep with impersonation risk.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger scope is broad enough to match many ordinary art or code requests, causing the skill to activate outside narrowly intended situations. Overbroad activation increases the chance that users are funneled into the skill's unnecessary branding-copying and rigid output behavior even when they did not request it.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: Forcing a specific branded visual style without user opt-in introduces unauthorized brand presentation and reduces transparency about authorship or affiliation. In an art-generation skill, this is especially unjustified because visual style should be driven by user needs or neutral defaults, not hidden mandatory brand mimicry.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal