Back to skill

Security audit

Power Cad Drafter

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a purpose-aligned electrical CAD helper that creates expected drawing and audit files, with some scoping and overwrite cautions but no evidence of malicious behavior.

Before installing, use this only in a project workspace where creating CAD/report files is intended, choose an explicit output directory, and check for existing files before running the scripts. Treat the generated drawings and audit report as draft engineering assistance, not as final professional approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs reading a local company code file and generating multiple project artifacts, which implies file read/write capabilities without any declared permissions or user-facing constraints. This weakens transparency and safety controls, and could lead to unauthorized access to local files or unexpected artifact creation/overwrite in the workspace.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions are broad enough to activate on ordinary design-review or diagram-related requests, which can cause the skill to engage outside a narrowly defined electrical CAD workflow. In context, this is more dangerous because the skill can then read reference files and generate/write multiple artifacts, increasing the chance of unintended execution or workspace modification.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill describes packaging drawings, JSON, reports, and CSV outputs but does not warn that it will create a zip archive and multiple files in the workspace, potentially overwriting existing project artifacts. While not inherently malicious, this lack of disclosure reduces informed consent and can cause accidental data loss or confusion in shared project directories.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.