Frontend Patterns

Security checks across malware telemetry and agentic risk

Overview

This is a guidance-only frontend coding skill with no hidden execution, credential use, or persistence found.

Reasonable to install for React/Next.js guidance. If you only want this skill used when explicitly requested, disable implicit invocation or narrow its trigger wording; otherwise review generated frontend code as you normally would.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The default prompt is broad and generic enough that the skill may be invoked in situations where the user did not explicitly request this specific frontend-focused capability. Because implicit invocation is enabled, this increases the chance of over-triggering the skill and injecting its guidance into unrelated workflows, which can cause unintended behavior or response shaping.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal