Back to skill

Security audit

svg-generator-pro

Security checks across malware telemetry and agentic risk

Overview

This is a local SVG background generator with a misleading PNG helper, but it does not show hidden data access or harmful behavior.

Reasonable to install for local decorative SVG generation. Treat svg-to-png as a placeholder rather than a true converter, verify generated images before relying on them, install any Node dependencies from trusted sources, and choose output paths carefully to avoid overwriting existing files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script advertises SVG-to-PNG conversion but ignores nearly all SVG content and produces a hard-coded image using only extracted width and height. In an agent skill that may be relied on for automated asset generation, this is dangerous because it silently corrupts user intent and can cause downstream systems to trust falsified outputs as faithful conversions.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comments imply a simplified conversion process, but the code does not convert SVG content at all beyond reading dimensions. This mismatch increases the risk of operator deception and misuse, especially in automation contexts where comments and filenames are used to infer behavior.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This script advertises SVG-to-PNG conversion but never renders the supplied SVG; it only reads the file and outputs a hard-coded gradient image. In an agent skill that users may trust for content generation, this is dangerous because it silently produces incorrect output, can mislead downstream workflows, and may conceal that user-provided content was ignored entirely.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comments imply a simplified form of SVG rendering is happening, but no SVG rendering occurs at all. This mismatch increases risk because maintainers and users may trust the code path as a legitimate converter, making the deceptive behavior harder to notice and easier to ship in production automation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README presents quoted natural-language strings such as "Generate a tech-style background with blue-purple colors" as if they are commands, without clearly constraining the invocation surface. In an agent environment, broad NL triggers can overlap with ordinary user requests and cause unintended skill activation or routing, especially because the skill domain is generic content generation rather than a tightly scoped operational task.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.