Article To Html

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate article-to-HTML infographic helper, with some privacy and local-execution caveats users should understand.

Install this only if you are comfortable with it generating local HTML files and running its included post-processing script on those files. For more private use, remove Google Fonts imports and adjust the screenshot step to serve only the generated output on 127.0.0.1, then stop the server when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill instructs the agent to generate HTML and run a post-processing script, which implies file creation/modification capabilities, but no permissions are declared. This creates an authorization mismatch: users and the platform are not clearly informed that the skill writes files, reducing transparency and potentially enabling unintended filesystem changes.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The file does not implement the advertised article-to-infographic behavior and instead contains a hard-coded HTML summary for an unrelated App Store preflight project. This is dangerous because skill/package mismatch can mislead users, hide undeclared functionality, and indicate the delivered artifact was swapped, repurposed, or incorrectly bundled, which undermines trust and reviewability.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The output contains unrelated App Store preflight content, which is outside the declared scope of an article-to-HTML infographic skill. In skill ecosystems, unexplained off-scope content is risky because it may reflect prompt/output contamination, hidden cross-project data leakage, or intentional misrepresentation of capabilities.

Context-Inappropriate Capability

Low

Confidence: 96% confidence
Finding: The HTML imports Google Fonts from a third-party origin, which causes client browsers to make outbound requests and disclose metadata such as IP address, user agent, and access timing. In an article-to-HTML skill, this is not necessary for core functionality and creates an avoidable privacy and supply-chain dependency, though the impact is limited because it does not directly enable script execution or code injection.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Instructing the agent to run `python3 -m http.server 8899 --directory <html所在目录> &` exposes a local directory over HTTP, creating an unnecessary network service for a content-to-infographic skill. If the served directory contains additional files or the bind address is broader than intended, local data may be exposed to other processes or hosts on the network.

Context-Inappropriate Capability

Low

Confidence: 94% confidence
Finding: The template imports Google Fonts from an external domain, which causes client-side network access whenever the HTML is rendered. In a local article-to-HTML skill, this introduces unnecessary third-party dependency, leaks user metadata such as IP address and user agent, and can break in offline or restricted environments.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger examples and description are broad enough to match common requests like '做张图' or '可视化这篇文章', which can cause the skill to activate outside narrowly intended scenarios. Over-broad activation increases the chance of prompt hijacking or accidental invocation, especially because the skill fetches/transforms arbitrary links or text into output.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases are very broad and overlap with common requests such as making an image, visualizing an article, or turning notes into content. This can cause the skill to activate unexpectedly in benign conversations, leading to unanticipated HTML generation, file writes, and shell-script execution in contexts where the user did not explicitly request those actions.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill mandates execution of a local shell script as a compulsory step but does not disclose this operationally significant action to the user. Hidden or non-consensual shell execution is dangerous because it expands the attack surface from prompt-only content generation to local code execution, and the script processes generated files that may be influenced by untrusted user input.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal